From 5b4004cc8435c9db1c9d48e6058ce26401ec2cf7 Mon Sep 17 00:00:00 2001 From: Martijn Laarman Date: Thu, 26 Sep 2024 16:20:37 +0200 Subject: [PATCH] Support nested entities when using AssignField (#450) Addresses #402 Continuation of #401 This now allows us to log not just the value types but also deeply nested entities on other entities. E.g `threat.indicator.file.pe.company` now successfully assigns to `doc.Threat.IndicatorFile.Pe.Company` The only thing we don't support today is self referential (reused) entities e.g `process.parent.*` since these require a tad more massaging of the intermediary model. --- .../AssignableInterfaces.Generated.cs | 301 + .../EcsDocument.Generated.cs | 2 +- .../Entities.Generated.cs | 132 +- src/Elastic.CommonSchema/Entities.cs | 1 + .../FieldSets.Generated.cs | 34 +- .../LogTemplateProperties.Generated.cs | 6473 ++++++++++++++--- .../PropDispatch.Generated.cs | 2833 +++++++- .../Serialization/EcsJsonContext.Generated.cs | 4 +- .../Repro/GithubIssue402.cs | 81 + .../FileGenerator.cs | 1 + .../Projection/ProjectionTypeExtensions.cs | 1 + .../Projection/PropertyReference.cs | 108 +- .../Projection/TypeProjector.cs | 70 +- .../Projection/Types.cs | 156 +- .../AssignableInterfaces.Generated.cshtml | 41 + .../Views/EcsDocument.Generated.cshtml | 2 +- .../Views/EcsJsonContext.Generated.cshtml | 2 + .../Views/Entities.Generated.cshtml | 4 +- .../LogTemplateProperties.Generated.cshtml | 8 +- .../Views/PropDispatch.Generated.cshtml | 37 +- 20 files changed, 8966 insertions(+), 1325 deletions(-) create mode 100644 src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs create mode 100644 tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs create mode 100644 tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml diff --git a/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs b/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs new file mode 100644 index 00000000..b66da896 --- /dev/null +++ b/src/Elastic.CommonSchema/AssignableInterfaces.Generated.cs @@ -0,0 +1,301 @@ +// Licensed to Elasticsearch B.V under one or more agreements. +// Elasticsearch B.V licenses this file to you under the Apache 2.0 License. +// See the LICENSE file in the project root for more information + +/* +IMPORTANT NOTE +============== +This file has been generated. +If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! +*/ + +// ReSharper disable RedundantUsingDirective +using System; +using System.Collections.Generic; +using System.Threading; +using System.Threading.Tasks; +using System.Linq; +using System.Net; +using System.Runtime.Serialization; +using System.Text.Json.Serialization; + +#nullable enable +namespace Elastic.CommonSchema +{ + + /// Interface for entities that can assign an IAs: Client, Destination, Server, Source + public interface IAs { + ///as + public As? As { get; set; } + } + + /// Interface for entities that can assign an IGeo: Client, Destination, Host, Observer, Server, Source + public interface IGeo { + ///geo + public Geo? Geo { get; set; } + } + + /// Interface for entities that can assign an IUser: Client, Destination, Process, Server, Source + public interface IUser { + ///user + public User? User { get; set; } + } + + /// Interface for entities that can assign an ICloudOrigin: Cloud + public interface ICloudOrigin { + ///origin + public CloudOrigin? Origin { get; set; } + } + + /// Interface for entities that can assign an ICloudTarget: Cloud + public interface ICloudTarget { + ///target + public CloudTarget? Target { get; set; } + } + + /// Interface for entities that can assign an IHash: Dll, File, Process + public interface IHash { + ///hash + public Hash? Hash { get; set; } + } + + /// Interface for entities that can assign an IPe: Dll, File, Process + public interface IPe { + ///pe + public Pe? Pe { get; set; } + } + + /// Interface for entities that can assign an ICodeSignature: Dll, File, Process + public interface ICodeSignature { + ///code_signature + public CodeSignature? CodeSignature { get; set; } + } + + /// Interface for entities that can assign an IX509: File + public interface IX509 { + ///x509 + public X509? X509 { get; set; } + } + + /// Interface for entities that can assign an IElf: File, Process + public interface IElf { + ///elf + public Elf? Elf { get; set; } + } + + /// Interface for entities that can assign an IMacho: File, Process + public interface IMacho { + ///macho + public Macho? Macho { get; set; } + } + + /// Interface for entities that can assign an IOs: Host, Observer, UserAgent + public interface IOs { + ///os + public Os? Os { get; set; } + } + + /// Interface for entities that can assign an IRisk: Host, User + public interface IRisk { + ///risk + public Risk? Risk { get; set; } + } + + /// Interface for entities that can assign an IVlan: Network + public interface IVlan { + ///vlan + public Vlan? Vlan { get; set; } + } + + /// Interface for entities that can assign an IGroup: Process, User + public interface IGroup { + ///group + public Group? Group { get; set; } + } + + /// Interface for entities that can assign an IRealGroup: Process + public interface IRealGroup { + ///real_group + public Group? RealGroup { get; set; } + } + + /// Interface for entities that can assign an ISavedGroup: Process + public interface ISavedGroup { + ///saved_group + public Group? SavedGroup { get; set; } + } + + /// Interface for entities that can assign an ISupplementalGroups: Process + public interface ISupplementalGroups { + ///supplemental_groups + public Group[]? SupplementalGroups { get; set; } + } + + /// Interface for entities that can assign an IAttestedGroups: Process + public interface IAttestedGroups { + ///attested_groups + public Group[]? AttestedGroups { get; set; } + } + + /// Interface for entities that can assign an IEntryMetaSource: Process + public interface IEntryMetaSource { + ///entry_meta.source + public Source? EntryMetaSource { get; set; } + } + + /// Interface for entities that can assign an ISavedUser: Process + public interface ISavedUser { + ///saved_user + public User? SavedUser { get; set; } + } + + /// Interface for entities that can assign an IRealUser: Process + public interface IRealUser { + ///real_user + public User? RealUser { get; set; } + } + + /// Interface for entities that can assign an IAttestedUser: Process + public interface IAttestedUser { + ///attested_user + public User? AttestedUser { get; set; } + } + + /// Interface for entities that can assign an IProcessParent: Process + public interface IProcessParent { + ///parent + public ProcessParent? Parent { get; set; } + } + + /// Interface for entities that can assign an IProcessEntryLeader: Process + public interface IProcessEntryLeader { + ///entry_leader + public ProcessEntryLeader? EntryLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessSessionLeader: Process + public interface IProcessSessionLeader { + ///session_leader + public ProcessSessionLeader? SessionLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessGroupLeader: Process + public interface IProcessGroupLeader { + ///group_leader + public ProcessGroupLeader? GroupLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessPrevious: Process + public interface IProcessPrevious { + ///previous + public ProcessPrevious[]? Previous { get; set; } + } + + /// Interface for entities that can assign an IServiceOrigin: Service + public interface IServiceOrigin { + ///origin + public ServiceOrigin? Origin { get; set; } + } + + /// Interface for entities that can assign an IServiceTarget: Service + public interface IServiceTarget { + ///target + public ServiceTarget? Target { get; set; } + } + + /// Interface for entities that can assign an IIndicatorX509: Threat + public interface IIndicatorX509 { + ///indicator.x509 + public X509? IndicatorX509 { get; set; } + } + + /// Interface for entities that can assign an IIndicatorAs: Threat + public interface IIndicatorAs { + ///indicator.as + public As? IndicatorAs { get; set; } + } + + /// Interface for entities that can assign an IIndicatorFile: Threat + public interface IIndicatorFile { + ///indicator.file + public File? IndicatorFile { get; set; } + } + + /// Interface for entities that can assign an IIndicatorGeo: Threat + public interface IIndicatorGeo { + ///indicator.geo + public Geo? IndicatorGeo { get; set; } + } + + /// Interface for entities that can assign an IIndicatorRegistry: Threat + public interface IIndicatorRegistry { + ///indicator.registry + public Registry? IndicatorRegistry { get; set; } + } + + /// Interface for entities that can assign an IIndicatorUrl: Threat + public interface IIndicatorUrl { + ///indicator.url + public Url? IndicatorUrl { get; set; } + } + + /// Interface for entities that can assign an IClientX509: Tls + public interface IClientX509 { + ///client.x509 + public X509? ClientX509 { get; set; } + } + + /// Interface for entities that can assign an IServerX509: Tls + public interface IServerX509 { + ///server.x509 + public X509? ServerX509 { get; set; } + } + + /// Interface for entities that can assign an IUserTarget: User + public interface IUserTarget { + ///target + public UserTarget? Target { get; set; } + } + + /// Interface for entities that can assign an IUserEffective: User + public interface IUserEffective { + ///effective + public UserEffective? Effective { get; set; } + } + + /// Interface for entities that can assign an IUserChanges: User + public interface IUserChanges { + ///changes + public UserChanges? Changes { get; set; } + } + + /// Interface for entities that can assign an IProcessParentGroupLeader: ProcessParent + public interface IProcessParentGroupLeader { + ///group_leader + public ProcessParentGroupLeader? GroupLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessEntryLeaderParent: ProcessEntryLeader + public interface IProcessEntryLeaderParent { + ///parent + public ProcessEntryLeaderParent? Parent { get; set; } + } + + /// Interface for entities that can assign an IProcessSessionLeaderParent: ProcessSessionLeader + public interface IProcessSessionLeaderParent { + ///parent + public ProcessSessionLeaderParent? Parent { get; set; } + } + + /// Interface for entities that can assign an IProcessEntryLeaderParentSessionLeader: ProcessEntryLeaderParent + public interface IProcessEntryLeaderParentSessionLeader { + ///session_leader + public ProcessEntryLeaderParentSessionLeader? SessionLeader { get; set; } + } + + /// Interface for entities that can assign an IProcessSessionLeaderParentSessionLeader: ProcessSessionLeaderParent + public interface IProcessSessionLeaderParentSessionLeader { + ///session_leader + public ProcessSessionLeaderParentSessionLeader? SessionLeader { get; set; } + } +} diff --git a/src/Elastic.CommonSchema/EcsDocument.Generated.cs b/src/Elastic.CommonSchema/EcsDocument.Generated.cs index 3b513e4c..378d0bd8 100644 --- a/src/Elastic.CommonSchema/EcsDocument.Generated.cs +++ b/src/Elastic.CommonSchema/EcsDocument.Generated.cs @@ -24,7 +24,7 @@ If you wish to submit a PR please modify the original csharp file and submit the namespace Elastic.CommonSchema { /// - public partial class EcsDocument : BaseFieldSet + public partial class EcsDocument : BaseFieldSet , IAs, ICodeSignature, IElf, IGeo, IGroup, IHash, IMacho, IOs, IPe, IRisk, IUser, IVlan, IX509 { /// diff --git a/src/Elastic.CommonSchema/Entities.Generated.cs b/src/Elastic.CommonSchema/Entities.Generated.cs index 93398c92..99d8648d 100644 --- a/src/Elastic.CommonSchema/Entities.Generated.cs +++ b/src/Elastic.CommonSchema/Entities.Generated.cs @@ -24,15 +24,15 @@ namespace Elastic.CommonSchema { /// - public class CloudOrigin : CloudFieldSet { + public class CloudOrigin : CloudFieldSet { } /// - public class CloudTarget : CloudFieldSet { + public class CloudTarget : CloudFieldSet { } /// - public class ProcessParent : ProcessFieldSet { + public class ProcessParent : ProcessFieldSet { /// /// process.parent.group_leader @@ -43,7 +43,7 @@ public class ProcessParent : ProcessFieldSet { } /// - public class ProcessEntryLeader : ProcessFieldSet { + public class ProcessEntryLeader : ProcessFieldSet { /// /// process.entry_leader.parent @@ -54,7 +54,7 @@ public class ProcessEntryLeader : ProcessFieldSet { } /// - public class ProcessSessionLeader : ProcessFieldSet { + public class ProcessSessionLeader : ProcessFieldSet { /// /// process.session_leader.parent @@ -65,15 +65,15 @@ public class ProcessSessionLeader : ProcessFieldSet { } /// - public class ProcessGroupLeader : ProcessFieldSet { + public class ProcessGroupLeader : ProcessFieldSet { } /// - public class ProcessParentGroupLeader : ProcessFieldSet { + public class ProcessParentGroupLeader : ProcessFieldSet { } /// - public class ProcessEntryLeaderParent : ProcessFieldSet { + public class ProcessEntryLeaderParent : ProcessFieldSet { /// /// process.entry_leader.parent.session_leader @@ -84,7 +84,7 @@ public class ProcessEntryLeaderParent : ProcessFieldSet { } /// - public class ProcessSessionLeaderParent : ProcessFieldSet { + public class ProcessSessionLeaderParent : ProcessFieldSet { /// /// process.session_leader.parent.session_leader @@ -95,47 +95,47 @@ public class ProcessSessionLeaderParent : ProcessFieldSet { } /// - public class ProcessEntryLeaderParentSessionLeader : ProcessFieldSet { + public class ProcessEntryLeaderParentSessionLeader : ProcessFieldSet { } /// - public class ProcessSessionLeaderParentSessionLeader : ProcessFieldSet { + public class ProcessSessionLeaderParentSessionLeader : ProcessFieldSet { } /// - public class ProcessPrevious : ProcessFieldSet { + public class ProcessPrevious : ProcessFieldSet { } /// - public class ServiceOrigin : ServiceFieldSet { + public class ServiceOrigin : ServiceFieldSet { } /// - public class ServiceTarget : ServiceFieldSet { + public class ServiceTarget : ServiceFieldSet { } /// - public class UserTarget : UserFieldSet { + public class UserTarget : UserFieldSet { } /// - public class UserEffective : UserFieldSet { + public class UserEffective : UserFieldSet { } /// - public class UserChanges : UserFieldSet { + public class UserChanges : UserFieldSet { } /// - public class Agent : AgentFieldSet { + public class Agent : AgentFieldSet { } /// - public class As : AsFieldSet { + public class As : AsFieldSet { } /// - public class Client : ClientFieldSet { + public class Client : ClientFieldSet , IAs, IGeo, IUser { /// /// client.as @@ -160,7 +160,7 @@ public class Client : ClientFieldSet { } /// - public class Cloud : CloudFieldSet { + public class Cloud : CloudFieldSet , ICloudOrigin, ICloudTarget { /// /// cloud.origin @@ -178,19 +178,19 @@ public class Cloud : CloudFieldSet { } /// - public class CodeSignature : CodeSignatureFieldSet { + public class CodeSignature : CodeSignatureFieldSet { } /// - public class Container : ContainerFieldSet { + public class Container : ContainerFieldSet { } /// - public class DataStream : DataStreamFieldSet { + public class DataStream : DataStreamFieldSet { } /// - public class Destination : DestinationFieldSet { + public class Destination : DestinationFieldSet , IAs, IGeo, IUser { /// /// destination.as @@ -215,11 +215,11 @@ public class Destination : DestinationFieldSet { } /// - public class Device : DeviceFieldSet { + public class Device : DeviceFieldSet { } /// - public class Dll : DllFieldSet { + public class Dll : DllFieldSet , IHash, IPe, ICodeSignature { /// /// dll.hash @@ -244,35 +244,35 @@ public class Dll : DllFieldSet { } /// - public class Dns : DnsFieldSet { + public class Dns : DnsFieldSet { } /// - public partial class Ecs : EcsFieldSet { + public partial class Ecs : EcsFieldSet { } /// - public class Elf : ElfFieldSet { + public class Elf : ElfFieldSet { } /// - public class Email : EmailFieldSet { + public class Email : EmailFieldSet { } /// - public class Error : ErrorFieldSet { + public class Error : ErrorFieldSet { } /// - public class Event : EventFieldSet { + public class Event : EventFieldSet { } /// - public class Faas : FaasFieldSet { + public class Faas : FaasFieldSet { } /// - public class File : FileFieldSet { + public class File : FileFieldSet , IHash, IPe, ICodeSignature, IX509, IElf, IMacho { /// /// file.hash @@ -318,19 +318,19 @@ public class File : FileFieldSet { } /// - public class Geo : GeoFieldSet { + public class Geo : GeoFieldSet { } /// - public class Group : GroupFieldSet { + public class Group : GroupFieldSet { } /// - public class Hash : HashFieldSet { + public class Hash : HashFieldSet { } /// - public class Host : HostFieldSet { + public class Host : HostFieldSet , IGeo, IOs, IRisk { /// /// host.geo @@ -355,23 +355,23 @@ public class Host : HostFieldSet { } /// - public class Http : HttpFieldSet { + public class Http : HttpFieldSet { } /// - public class Interface : InterfaceFieldSet { + public class Interface : InterfaceFieldSet { } /// - public partial class Log : LogFieldSet { + public partial class Log : LogFieldSet { } /// - public class Macho : MachoFieldSet { + public class Macho : MachoFieldSet { } /// - public class Network : NetworkFieldSet { + public class Network : NetworkFieldSet , IVlan { /// /// network.vlan @@ -382,7 +382,7 @@ public class Network : NetworkFieldSet { } /// - public class Observer : ObserverFieldSet { + public class Observer : ObserverFieldSet , IGeo, IOs { /// /// observer.geo @@ -400,27 +400,27 @@ public class Observer : ObserverFieldSet { } /// - public class Orchestrator : OrchestratorFieldSet { + public class Orchestrator : OrchestratorFieldSet { } /// - public class Organization : OrganizationFieldSet { + public class Organization : OrganizationFieldSet { } /// - public class Os : OsFieldSet { + public class Os : OsFieldSet { } /// - public class Package : PackageFieldSet { + public class Package : PackageFieldSet { } /// - public class Pe : PeFieldSet { + public class Pe : PeFieldSet { } /// - public class Process : ProcessFieldSet { + public class Process : ProcessFieldSet , IUser, IHash, IPe, ICodeSignature, IElf, IMacho, IGroup, IRealGroup, ISavedGroup, ISupplementalGroups, IAttestedGroups, IEntryMetaSource, ISavedUser, IRealUser, IAttestedUser, IProcessParent, IProcessEntryLeader, IProcessSessionLeader, IProcessGroupLeader, IProcessPrevious { /// /// process.group @@ -564,23 +564,23 @@ public class Process : ProcessFieldSet { } /// - public class Registry : RegistryFieldSet { + public class Registry : RegistryFieldSet { } /// - public class Related : RelatedFieldSet { + public class Related : RelatedFieldSet { } /// - public class Risk : RiskFieldSet { + public class Risk : RiskFieldSet { } /// - public class Rule : RuleFieldSet { + public class Rule : RuleFieldSet { } /// - public class Server : ServerFieldSet { + public class Server : ServerFieldSet , IAs, IGeo, IUser { /// /// server.as @@ -605,7 +605,7 @@ public class Server : ServerFieldSet { } /// - public class Service : ServiceFieldSet { + public class Service : ServiceFieldSet , IServiceOrigin, IServiceTarget { /// /// service.origin @@ -623,7 +623,7 @@ public class Service : ServiceFieldSet { } /// - public class Source : SourceFieldSet { + public class Source : SourceFieldSet , IAs, IGeo, IUser { /// /// source.as @@ -648,7 +648,7 @@ public class Source : SourceFieldSet { } /// - public class Threat : ThreatFieldSet { + public class Threat : ThreatFieldSet , IIndicatorX509, IIndicatorAs, IIndicatorFile, IIndicatorGeo, IIndicatorRegistry, IIndicatorUrl { /// /// threat.indicator.x509 @@ -694,7 +694,7 @@ public class Threat : ThreatFieldSet { } /// - public class Tls : TlsFieldSet { + public class Tls : TlsFieldSet , IClientX509, IServerX509 { /// /// tls.client.x509 @@ -712,11 +712,11 @@ public class Tls : TlsFieldSet { } /// - public class Url : UrlFieldSet { + public class Url : UrlFieldSet { } /// - public class User : UserFieldSet { + public class User : UserFieldSet , IRisk, IGroup, IUserTarget, IUserEffective, IUserChanges { /// /// user.group @@ -755,7 +755,7 @@ public class User : UserFieldSet { } /// - public class UserAgent : UserAgentFieldSet { + public class UserAgent : UserAgentFieldSet , IOs { /// /// user_agent.os @@ -766,14 +766,14 @@ public class UserAgent : UserAgentFieldSet { } /// - public class Vlan : VlanFieldSet { + public class Vlan : VlanFieldSet { } /// - public class Vulnerability : VulnerabilityFieldSet { + public class Vulnerability : VulnerabilityFieldSet { } /// - public class X509 : X509FieldSet { + public class X509 : X509FieldSet { } } diff --git a/src/Elastic.CommonSchema/Entities.cs b/src/Elastic.CommonSchema/Entities.cs index edf28bc3..36b46ee0 100644 --- a/src/Elastic.CommonSchema/Entities.cs +++ b/src/Elastic.CommonSchema/Entities.cs @@ -11,3 +11,4 @@ namespace Elastic.CommonSchema; public partial class Log { } [JsonConverter(typeof(EcsEntityJsonConverter))] public partial class Ecs { } + diff --git a/src/Elastic.CommonSchema/FieldSets.Generated.cs b/src/Elastic.CommonSchema/FieldSets.Generated.cs index 36f5ef91..4b0fce6a 100644 --- a/src/Elastic.CommonSchema/FieldSets.Generated.cs +++ b/src/Elastic.CommonSchema/FieldSets.Generated.cs @@ -116,7 +116,7 @@ public abstract class BaseFieldSet { /// If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. /// Required field for all events. ///
This is a required field
- /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM ///
[JsonPropertyName("@timestamp"), DataMember(Name = "@timestamp")] public DateTimeOffset? Timestamp { get; set; } @@ -448,7 +448,7 @@ public abstract class CodeSignatureFieldSet { /// /// code_signature.timestamp /// Date and time when the code signature was generated and signed. - /// 1/1/2021 12:10:30PM + /// 1/1/2021 12:10:30 PM /// [JsonPropertyName("timestamp"), DataMember(Name = "timestamp")] public DateTimeOffset? Timestamp { get; set; } @@ -1201,7 +1201,7 @@ public abstract class EmailFieldSet { /// /// email.delivery_timestamp /// The date and time when the email message was received by the service or client. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// [JsonPropertyName("delivery_timestamp"), DataMember(Name = "delivery_timestamp")] public DateTimeOffset? DeliveryTimestamp { get; set; } @@ -1242,7 +1242,7 @@ public abstract class EmailFieldSet { /// /// email.origination_timestamp /// The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// [JsonPropertyName("origination_timestamp"), DataMember(Name = "origination_timestamp")] public DateTimeOffset? OriginationTimestamp { get; set; } @@ -1425,7 +1425,7 @@ public abstract class EventFieldSet { /// This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. /// In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. /// In case the two timestamps are identical, `@timestamp` should be used. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM ///
[JsonPropertyName("created"), DataMember(Name = "created")] public DateTimeOffset? Created { get; set; } @@ -1478,7 +1478,7 @@ public abstract class EventFieldSet { /// Timestamp when an event arrived in the central data store. /// This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. /// In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - /// 5/23/2016 8:05:35AM + /// 5/23/2016 8:05:35 AM ///
[JsonPropertyName("ingested"), DataMember(Name = "ingested")] public DateTimeOffset? Ingested { get; set; } @@ -3343,7 +3343,7 @@ public abstract class ProcessFieldSet { /// /// process.end /// The time the process ended. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// [JsonPropertyName("end"), DataMember(Name = "end")] public DateTimeOffset? End { get; set; } @@ -3424,7 +3424,7 @@ public abstract class ProcessFieldSet { /// /// process.start /// The time the process started. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// [JsonPropertyName("start"), DataMember(Name = "start")] public DateTimeOffset? Start { get; set; } @@ -4215,7 +4215,7 @@ public abstract class ThreatFieldSet { /// /// threat.indicator.first_seen /// The date and time when intelligence source first reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// [JsonPropertyName("indicator.first_seen"), DataMember(Name = "indicator.first_seen")] public DateTimeOffset? IndicatorFirstSeen { get; set; } @@ -4231,7 +4231,7 @@ public abstract class ThreatFieldSet { /// /// threat.indicator.last_seen /// The date and time when intelligence source last reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// [JsonPropertyName("indicator.last_seen"), DataMember(Name = "indicator.last_seen")] public DateTimeOffset? IndicatorLastSeen { get; set; } @@ -4264,7 +4264,7 @@ public abstract class ThreatFieldSet { /// /// threat.indicator.modified_at /// The date and time when intelligence source last modified information for this indicator. - /// 11/5/2020 5:25:47PM + /// 11/5/2020 5:25:47 PM /// [JsonPropertyName("indicator.modified_at"), DataMember(Name = "indicator.modified_at")] public DateTimeOffset? IndicatorModifiedAt { get; set; } @@ -4571,7 +4571,7 @@ public abstract class TlsFieldSet { /// /// tls.client.not_after /// Date/Time indicating when client certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// [JsonPropertyName("client.not_after"), DataMember(Name = "client.not_after")] public DateTimeOffset? ClientNotAfter { get; set; } @@ -4579,7 +4579,7 @@ public abstract class TlsFieldSet { /// /// tls.client.not_before /// Date/Time indicating when client certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// [JsonPropertyName("client.not_before"), DataMember(Name = "client.not_before")] public DateTimeOffset? ClientNotBefore { get; set; } @@ -4699,7 +4699,7 @@ public abstract class TlsFieldSet { /// /// tls.server.not_after /// Timestamp indicating when server certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// [JsonPropertyName("server.not_after"), DataMember(Name = "server.not_after")] public DateTimeOffset? ServerNotAfter { get; set; } @@ -4707,7 +4707,7 @@ public abstract class TlsFieldSet { /// /// tls.server.not_before /// Timestamp indicating when server certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// [JsonPropertyName("server.not_before"), DataMember(Name = "server.not_before")] public DateTimeOffset? ServerNotBefore { get; set; } @@ -5180,7 +5180,7 @@ public abstract class X509FieldSet { /// /// x509.not_after /// Time at which the certificate is no longer considered valid. - /// 7/16/2020 3:15:39AM + /// 7/16/2020 3:15:39 AM /// [JsonPropertyName("not_after"), DataMember(Name = "not_after")] public DateTimeOffset? NotAfter { get; set; } @@ -5188,7 +5188,7 @@ public abstract class X509FieldSet { /// /// x509.not_before /// Time at which the certificate is first considered valid. - /// 8/16/2019 1:40:25AM + /// 8/16/2019 1:40:25 AM /// [JsonPropertyName("not_before"), DataMember(Name = "not_before")] public DateTimeOffset? NotBefore { get; set; } diff --git a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs index 43428c8e..c79620dc 100644 --- a/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs +++ b/src/Elastic.CommonSchema/LogTemplateProperties.Generated.cs @@ -33,7 +33,7 @@ public static class LogTemplateProperties /// If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. /// Required field for all events. ///
This is a required field
- /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM ///
public static string Timestamp = nameof(Timestamp); /// @@ -201,6 +201,180 @@ public static class LogTemplateProperties /// public static string ClientTopLevelDomain = nameof(ClientTopLevelDomain); /// + /// client.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string ClientAsNumber = nameof(ClientAsNumber); + /// + /// client.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string ClientAsOrganizationName = nameof(ClientAsOrganizationName); + /// + /// client.geo.city_name + /// City name. + /// Montreal + /// + public static string ClientGeoCityName = nameof(ClientGeoCityName); + /// + /// client.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ClientGeoContinentCode = nameof(ClientGeoContinentCode); + /// + /// client.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ClientGeoContinentName = nameof(ClientGeoContinentName); + /// + /// client.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ClientGeoCountryIsoCode = nameof(ClientGeoCountryIsoCode); + /// + /// client.geo.country_name + /// Country name. + /// Canada + /// + public static string ClientGeoCountryName = nameof(ClientGeoCountryName); + /// + /// client.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ClientGeoLocation = nameof(ClientGeoLocation); + /// + /// client.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ClientGeoName = nameof(ClientGeoName); + /// + /// client.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ClientGeoPostalCode = nameof(ClientGeoPostalCode); + /// + /// client.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ClientGeoRegionIsoCode = nameof(ClientGeoRegionIsoCode); + /// + /// client.geo.region_name + /// Region name. + /// Quebec + /// + public static string ClientGeoRegionName = nameof(ClientGeoRegionName); + /// + /// client.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ClientGeoTimezone = nameof(ClientGeoTimezone); + /// + /// client.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ClientUserDomain = nameof(ClientUserDomain); + /// + /// client.user.email + /// User email address. + /// + /// + public static string ClientUserEmail = nameof(ClientUserEmail); + /// + /// client.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ClientUserFullName = nameof(ClientUserFullName); + /// + /// client.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ClientUserHash = nameof(ClientUserHash); + /// + /// client.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ClientUserId = nameof(ClientUserId); + /// + /// client.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ClientUserName = nameof(ClientUserName); + /// + /// client.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ClientUserGroupDomain = nameof(ClientUserGroupDomain); + /// + /// client.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ClientUserGroupId = nameof(ClientUserGroupId); + /// + /// client.user.group.name + /// Name of the group. + /// + /// + public static string ClientUserGroupName = nameof(ClientUserGroupName); + /// + /// client.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ClientUserRiskCalculatedLevel = nameof(ClientUserRiskCalculatedLevel); + /// + /// client.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ClientUserRiskCalculatedScore = nameof(ClientUserRiskCalculatedScore); + /// + /// client.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ClientUserRiskCalculatedScoreNorm = nameof(ClientUserRiskCalculatedScoreNorm); + /// + /// client.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ClientUserRiskStaticLevel = nameof(ClientUserRiskStaticLevel); + /// + /// client.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ClientUserRiskStaticScore = nameof(ClientUserRiskStaticScore); + /// + /// client.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ClientUserRiskStaticScoreNorm = nameof(ClientUserRiskStaticScoreNorm); + /// /// cloud.account.id /// The cloud account or organization id used to identify different entities in a multi-tenant environment. /// Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. @@ -314,7 +488,7 @@ public static class LogTemplateProperties /// /// code_signature.timestamp /// Date and time when the code signature was generated and signed. - /// 1/1/2021 12:10:30PM + /// 1/1/2021 12:10:30 PM /// public static string CodeSignatureTimestamp = nameof(CodeSignatureTimestamp); /// @@ -507,6 +681,180 @@ public static class LogTemplateProperties /// public static string DestinationTopLevelDomain = nameof(DestinationTopLevelDomain); /// + /// destination.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string DestinationAsNumber = nameof(DestinationAsNumber); + /// + /// destination.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string DestinationAsOrganizationName = nameof(DestinationAsOrganizationName); + /// + /// destination.geo.city_name + /// City name. + /// Montreal + /// + public static string DestinationGeoCityName = nameof(DestinationGeoCityName); + /// + /// destination.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string DestinationGeoContinentCode = nameof(DestinationGeoContinentCode); + /// + /// destination.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string DestinationGeoContinentName = nameof(DestinationGeoContinentName); + /// + /// destination.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string DestinationGeoCountryIsoCode = nameof(DestinationGeoCountryIsoCode); + /// + /// destination.geo.country_name + /// Country name. + /// Canada + /// + public static string DestinationGeoCountryName = nameof(DestinationGeoCountryName); + /// + /// destination.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string DestinationGeoLocation = nameof(DestinationGeoLocation); + /// + /// destination.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string DestinationGeoName = nameof(DestinationGeoName); + /// + /// destination.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string DestinationGeoPostalCode = nameof(DestinationGeoPostalCode); + /// + /// destination.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string DestinationGeoRegionIsoCode = nameof(DestinationGeoRegionIsoCode); + /// + /// destination.geo.region_name + /// Region name. + /// Quebec + /// + public static string DestinationGeoRegionName = nameof(DestinationGeoRegionName); + /// + /// destination.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string DestinationGeoTimezone = nameof(DestinationGeoTimezone); + /// + /// destination.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string DestinationUserDomain = nameof(DestinationUserDomain); + /// + /// destination.user.email + /// User email address. + /// + /// + public static string DestinationUserEmail = nameof(DestinationUserEmail); + /// + /// destination.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string DestinationUserFullName = nameof(DestinationUserFullName); + /// + /// destination.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string DestinationUserHash = nameof(DestinationUserHash); + /// + /// destination.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string DestinationUserId = nameof(DestinationUserId); + /// + /// destination.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string DestinationUserName = nameof(DestinationUserName); + /// + /// destination.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string DestinationUserGroupDomain = nameof(DestinationUserGroupDomain); + /// + /// destination.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string DestinationUserGroupId = nameof(DestinationUserGroupId); + /// + /// destination.user.group.name + /// Name of the group. + /// + /// + public static string DestinationUserGroupName = nameof(DestinationUserGroupName); + /// + /// destination.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string DestinationUserRiskCalculatedLevel = nameof(DestinationUserRiskCalculatedLevel); + /// + /// destination.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string DestinationUserRiskCalculatedScore = nameof(DestinationUserRiskCalculatedScore); + /// + /// destination.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string DestinationUserRiskCalculatedScoreNorm = nameof(DestinationUserRiskCalculatedScoreNorm); + /// + /// destination.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string DestinationUserRiskStaticLevel = nameof(DestinationUserRiskStaticLevel); + /// + /// destination.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string DestinationUserRiskStaticScore = nameof(DestinationUserRiskStaticScore); + /// + /// destination.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string DestinationUserRiskStaticScoreNorm = nameof(DestinationUserRiskStaticScoreNorm); + /// /// device.id /// The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. /// On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. @@ -546,28 +894,230 @@ public static class LogTemplateProperties /// public static string DllPath = nameof(DllPath); /// - /// dns.id - /// The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - /// 62111 + /// dll.hash.md5 + /// MD5 hash. + /// /// - public static string DnsId = nameof(DnsId); + public static string DllHashMd5 = nameof(DllHashMd5); /// - /// dns.op_code - /// The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - /// QUERY + /// dll.hash.sha1 + /// SHA1 hash. + /// /// - public static string DnsOpCode = nameof(DnsOpCode); + public static string DllHashSha1 = nameof(DllHashSha1); /// - /// dns.question.class - /// The class of records being queried. - /// IN + /// dll.hash.sha256 + /// SHA256 hash. + /// /// - public static string DnsQuestionClass = nameof(DnsQuestionClass); + public static string DllHashSha256 = nameof(DllHashSha256); /// - /// dns.question.name - /// The name being queried. - /// If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - /// www.example.com + /// dll.hash.sha384 + /// SHA384 hash. + /// + /// + public static string DllHashSha384 = nameof(DllHashSha384); + /// + /// dll.hash.sha512 + /// SHA512 hash. + /// + /// + public static string DllHashSha512 = nameof(DllHashSha512); + /// + /// dll.hash.ssdeep + /// SSDEEP hash. + /// + /// + public static string DllHashSsdeep = nameof(DllHashSsdeep); + /// + /// dll.hash.tlsh + /// TLSH hash. + /// + /// + public static string DllHashTlsh = nameof(DllHashTlsh); + /// + /// dll.pe.architecture + /// CPU architecture target for the file. + /// x64 + /// + public static string DllPeArchitecture = nameof(DllPeArchitecture); + /// + /// dll.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation + /// + public static string DllPeCompany = nameof(DllPeCompany); + /// + /// dll.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint + /// + public static string DllPeDescription = nameof(DllPeDescription); + /// + /// dll.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 + /// + public static string DllPeFileVersion = nameof(DllPeFileVersion); + /// + /// dll.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string DllPeGoImportHash = nameof(DllPeGoImportHash); + /// + /// dll.pe.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string DllPeGoImports = nameof(DllPeGoImports); + /// + /// dll.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string DllPeGoImportsNamesEntropy = nameof(DllPeGoImportsNamesEntropy); + /// + /// dll.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string DllPeGoImportsNamesVarEntropy = nameof(DllPeGoImportsNamesVarEntropy); + /// + /// dll.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string DllPeGoStripped = nameof(DllPeGoStripped); + /// + /// dll.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf + /// + public static string DllPeImphash = nameof(DllPeImphash); + /// + /// dll.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string DllPeImportHash = nameof(DllPeImportHash); + /// + /// dll.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string DllPeImportsNamesEntropy = nameof(DllPeImportsNamesEntropy); + /// + /// dll.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string DllPeImportsNamesVarEntropy = nameof(DllPeImportsNamesVarEntropy); + /// + /// dll.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE + /// + public static string DllPeOriginalFileName = nameof(DllPeOriginalFileName); + /// + /// dll.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// + public static string DllPePehash = nameof(DllPePehash); + /// + /// dll.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System + /// + public static string DllPeProduct = nameof(DllPeProduct); + /// + /// dll.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 + /// + public static string DllCodeSignatureDigestAlgorithm = nameof(DllCodeSignatureDigestAlgorithm); + /// + /// dll.code_signature.exists + /// Boolean to capture if a signature is present. + /// true + /// + public static string DllCodeSignatureExists = nameof(DllCodeSignatureExists); + /// + /// dll.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy + /// + public static string DllCodeSignatureSigningId = nameof(DllCodeSignatureSigningId); + /// + /// dll.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT + /// + public static string DllCodeSignatureStatus = nameof(DllCodeSignatureStatus); + /// + /// dll.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation + /// + public static string DllCodeSignatureSubjectName = nameof(DllCodeSignatureSubjectName); + /// + /// dll.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV + /// + public static string DllCodeSignatureTeamId = nameof(DllCodeSignatureTeamId); + /// + /// dll.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM + /// + public static string DllCodeSignatureTimestamp = nameof(DllCodeSignatureTimestamp); + /// + /// dll.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true + /// + public static string DllCodeSignatureTrusted = nameof(DllCodeSignatureTrusted); + /// + /// dll.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true + /// + public static string DllCodeSignatureValid = nameof(DllCodeSignatureValid); + /// + /// dns.id + /// The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + /// 62111 + /// + public static string DnsId = nameof(DnsId); + /// + /// dns.op_code + /// The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + /// QUERY + /// + public static string DnsOpCode = nameof(DnsOpCode); + /// + /// dns.question.class + /// The class of records being queried. + /// IN + /// + public static string DnsQuestionClass = nameof(DnsQuestionClass); + /// + /// dns.question.name + /// The name being queried. + /// If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + /// www.example.com /// public static string DnsQuestionName = nameof(DnsQuestionName); /// @@ -758,7 +1308,7 @@ public static class LogTemplateProperties /// /// email.delivery_timestamp /// The date and time when the email message was received by the service or client. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// public static string EmailDeliveryTimestamp = nameof(EmailDeliveryTimestamp); /// @@ -783,7 +1333,7 @@ public static class LogTemplateProperties /// /// email.origination_timestamp /// The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. - /// 11/10/2020 10:12:34PM + /// 11/10/2020 10:12:34 PM /// public static string EmailOriginationTimestamp = nameof(EmailOriginationTimestamp); /// @@ -867,7 +1417,7 @@ public static class LogTemplateProperties /// This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. /// In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. /// In case the two timestamps are identical, `@timestamp` should be used. - /// 5/23/2016 8:05:34AM + /// 5/23/2016 8:05:34 AM /// public static string EventCreated = nameof(EventCreated); /// @@ -908,7 +1458,7 @@ public static class LogTemplateProperties /// Timestamp when an event arrived in the central data store. /// This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. /// In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - /// 5/23/2016 8:05:35AM + /// 5/23/2016 8:05:35 AM /// public static string EventIngested = nameof(EventIngested); /// @@ -1229,680 +1779,796 @@ public static class LogTemplateProperties /// public static string FileUid = nameof(FileUid); /// - /// geo.city_name - /// City name. - /// Montreal + /// file.hash.md5 + /// MD5 hash. + /// /// - public static string GeoCityName = nameof(GeoCityName); + public static string FileHashMd5 = nameof(FileHashMd5); /// - /// geo.continent_code - /// Two-letter code representing continent's name. - /// NA + /// file.hash.sha1 + /// SHA1 hash. + /// /// - public static string GeoContinentCode = nameof(GeoContinentCode); + public static string FileHashSha1 = nameof(FileHashSha1); /// - /// geo.continent_name - /// Name of the continent. - /// North America + /// file.hash.sha256 + /// SHA256 hash. + /// /// - public static string GeoContinentName = nameof(GeoContinentName); + public static string FileHashSha256 = nameof(FileHashSha256); /// - /// geo.country_iso_code - /// Country ISO code. - /// CA + /// file.hash.sha384 + /// SHA384 hash. + /// /// - public static string GeoCountryIsoCode = nameof(GeoCountryIsoCode); + public static string FileHashSha384 = nameof(FileHashSha384); /// - /// geo.country_name - /// Country name. - /// Canada + /// file.hash.sha512 + /// SHA512 hash. + /// /// - public static string GeoCountryName = nameof(GeoCountryName); + public static string FileHashSha512 = nameof(FileHashSha512); /// - /// geo.name - /// User-defined description of a location, at the level of granularity they care about. - /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - /// Not typically used in automated geolocation. - /// boston-dc + /// file.hash.ssdeep + /// SSDEEP hash. + /// /// - public static string GeoName = nameof(GeoName); + public static string FileHashSsdeep = nameof(FileHashSsdeep); /// - /// geo.postal_code - /// Postal code associated with the location. - /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - /// 94040 + /// file.hash.tlsh + /// TLSH hash. + /// /// - public static string GeoPostalCode = nameof(GeoPostalCode); + public static string FileHashTlsh = nameof(FileHashTlsh); /// - /// geo.region_iso_code - /// Region ISO code. - /// CA-QC + /// file.pe.architecture + /// CPU architecture target for the file. + /// x64 /// - public static string GeoRegionIsoCode = nameof(GeoRegionIsoCode); + public static string FilePeArchitecture = nameof(FilePeArchitecture); /// - /// geo.region_name - /// Region name. - /// Quebec + /// file.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation /// - public static string GeoRegionName = nameof(GeoRegionName); + public static string FilePeCompany = nameof(FilePeCompany); /// - /// geo.timezone - /// The time zone of the location, such as IANA time zone name. - /// America/Argentina/Buenos_Aires + /// file.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint /// - public static string GeoTimezone = nameof(GeoTimezone); + public static string FilePeDescription = nameof(FilePeDescription); /// - /// group.domain - /// Name of the directory the group is a member of. - /// For example, an LDAP or Active Directory domain name. - /// + /// file.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 /// - public static string GroupDomain = nameof(GroupDomain); + public static string FilePeFileVersion = nameof(FilePeFileVersion); /// - /// group.id - /// Unique identifier for the group on the system/platform. - /// + /// file.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string GroupId = nameof(GroupId); + public static string FilePeGoImportHash = nameof(FilePeGoImportHash); /// - /// group.name - /// Name of the group. + /// file.pe.go_imports + /// List of imported Go language element names and types. /// /// - public static string GroupName = nameof(GroupName); + public static string FilePeGoImports = nameof(FilePeGoImports); /// - /// hash.md5 - /// MD5 hash. + /// file.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. /// /// - public static string HashMd5 = nameof(HashMd5); + public static string FilePeGoImportsNamesEntropy = nameof(FilePeGoImportsNamesEntropy); /// - /// hash.sha1 - /// SHA1 hash. + /// file.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string HashSha1 = nameof(HashSha1); + public static string FilePeGoImportsNamesVarEntropy = nameof(FilePeGoImportsNamesVarEntropy); /// - /// hash.sha256 - /// SHA256 hash. + /// file.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string HashSha256 = nameof(HashSha256); + public static string FilePeGoStripped = nameof(FilePeGoStripped); /// - /// hash.sha384 - /// SHA384 hash. - /// + /// file.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf /// - public static string HashSha384 = nameof(HashSha384); + public static string FilePeImphash = nameof(FilePeImphash); /// - /// hash.sha512 - /// SHA512 hash. - /// + /// file.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string HashSha512 = nameof(HashSha512); + public static string FilePeImportHash = nameof(FilePeImportHash); /// - /// hash.ssdeep - /// SSDEEP hash. + /// file.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string HashSsdeep = nameof(HashSsdeep); + public static string FilePeImportsNamesEntropy = nameof(FilePeImportsNamesEntropy); /// - /// hash.tlsh - /// TLSH hash. + /// file.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string HashTlsh = nameof(HashTlsh); + public static string FilePeImportsNamesVarEntropy = nameof(FilePeImportsNamesVarEntropy); /// - /// host.architecture - /// Operating system architecture. - /// x86_64 + /// file.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE /// - public static string HostArchitecture = nameof(HostArchitecture); + public static string FilePeOriginalFileName = nameof(FilePeOriginalFileName); /// - /// host.boot.id - /// Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. - ///
This field is beta and subject to change.
- /// 88a1f0ed-5ae5-41ee-af6b-41921c311872 + /// file.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 ///
- public static string HostBootId = nameof(HostBootId); + public static string FilePePehash = nameof(FilePePehash); /// - /// host.cpu.usage - /// Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. - /// Scaling factor: 1000. - /// For example: For a two core host, this value should be the average of the two cores, between 0 and 1. - /// + /// file.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System /// - public static string HostCpuUsage = nameof(HostCpuUsage); + public static string FilePeProduct = nameof(FilePeProduct); /// - /// host.disk.read.bytes - /// The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. - /// + /// file.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA /// - public static string HostDiskReadBytes = nameof(HostDiskReadBytes); + public static string FileX509IssuerDistinguishedName = nameof(FileX509IssuerDistinguishedName); /// - /// host.disk.write.bytes - /// The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. - /// + /// file.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM /// - public static string HostDiskWriteBytes = nameof(HostDiskWriteBytes); + public static string FileX509NotAfter = nameof(FileX509NotAfter); /// - /// host.domain - /// Name of the domain of which the host is a member. - /// For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - /// CONTOSO + /// file.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM /// - public static string HostDomain = nameof(HostDomain); + public static string FileX509NotBefore = nameof(FileX509NotBefore); /// - /// host.hostname - /// Hostname of the host. - /// It normally contains what the `hostname` command returns on the host machine. - /// + /// file.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA /// - public static string HostHostname = nameof(HostHostname); + public static string FileX509PublicKeyAlgorithm = nameof(FileX509PublicKeyAlgorithm); /// - /// host.id - /// Unique host id. - /// As hostname is not always unique, use values that are meaningful in your environment. - /// Example: The current usage of `beat.name`. - /// + /// file.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 /// - public static string HostId = nameof(HostId); + public static string FileX509PublicKeyCurve = nameof(FileX509PublicKeyCurve); /// - /// host.name - /// Name of the host. - /// It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. - /// + /// file.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default
+ /// 65537 ///
- public static string HostName = nameof(HostName); + public static string FileX509PublicKeyExponent = nameof(FileX509PublicKeyExponent); /// - /// host.network.egress.bytes - /// The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - /// + /// file.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 /// - public static string HostNetworkEgressBytes = nameof(HostNetworkEgressBytes); + public static string FileX509PublicKeySize = nameof(FileX509PublicKeySize); /// - /// host.network.egress.packets - /// The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. - /// + /// file.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA /// - public static string HostNetworkEgressPackets = nameof(HostNetworkEgressPackets); + public static string FileX509SerialNumber = nameof(FileX509SerialNumber); /// - /// host.network.ingress.bytes - /// The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. - /// + /// file.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA /// - public static string HostNetworkIngressBytes = nameof(HostNetworkIngressBytes); + public static string FileX509SignatureAlgorithm = nameof(FileX509SignatureAlgorithm); /// - /// host.network.ingress.packets - /// The number of packets (gauge) received on all network interfaces by the host since the last metric collection. - /// + /// file.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net /// - public static string HostNetworkIngressPackets = nameof(HostNetworkIngressPackets); + public static string FileX509SubjectDistinguishedName = nameof(FileX509SubjectDistinguishedName); /// - /// host.pid_ns_ino - /// This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. - ///
This field is beta and subject to change.
- /// 256383 + /// file.x509.version_number + /// Version of x509 format. + /// 3 ///
- public static string HostPidNsIno = nameof(HostPidNsIno); + public static string FileX509VersionNumber = nameof(FileX509VersionNumber); /// - /// host.type - /// Type of host. - /// For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - /// + /// file.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 /// - public static string HostType = nameof(HostType); + public static string FileCodeSignatureDigestAlgorithm = nameof(FileCodeSignatureDigestAlgorithm); /// - /// host.uptime - /// Seconds the host has been up. - /// 1325 + /// file.code_signature.exists + /// Boolean to capture if a signature is present. + /// true /// - public static string HostUptime = nameof(HostUptime); + public static string FileCodeSignatureExists = nameof(FileCodeSignatureExists); /// - /// http.request.body.bytes - /// Size in bytes of the request body. - /// 887 + /// file.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy /// - public static string HttpRequestBodyBytes = nameof(HttpRequestBodyBytes); + public static string FileCodeSignatureSigningId = nameof(FileCodeSignatureSigningId); /// - /// http.request.body.content - /// The full HTTP request body. - /// Hello world + /// file.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT /// - public static string HttpRequestBodyContent = nameof(HttpRequestBodyContent); + public static string FileCodeSignatureStatus = nameof(FileCodeSignatureStatus); /// - /// http.request.bytes - /// Total size in bytes of the request (body and headers). - /// 1437 + /// file.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation /// - public static string HttpRequestBytes = nameof(HttpRequestBytes); + public static string FileCodeSignatureSubjectName = nameof(FileCodeSignatureSubjectName); /// - /// http.request.id - /// A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. - /// The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. - /// 123e4567-e89b-12d3-a456-426614174000 + /// file.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV /// - public static string HttpRequestId = nameof(HttpRequestId); + public static string FileCodeSignatureTeamId = nameof(FileCodeSignatureTeamId); /// - /// http.request.method - /// HTTP request method. - /// The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - /// POST + /// file.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM /// - public static string HttpRequestMethod = nameof(HttpRequestMethod); + public static string FileCodeSignatureTimestamp = nameof(FileCodeSignatureTimestamp); /// - /// http.request.mime_type - /// Mime type of the body of the request. - /// This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. - /// image/gif + /// file.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true /// - public static string HttpRequestMimeType = nameof(HttpRequestMimeType); + public static string FileCodeSignatureTrusted = nameof(FileCodeSignatureTrusted); /// - /// http.request.referrer - /// Referrer for this HTTP request. - /// https://blog.example.com/ + /// file.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true /// - public static string HttpRequestReferrer = nameof(HttpRequestReferrer); + public static string FileCodeSignatureValid = nameof(FileCodeSignatureValid); /// - /// http.response.body.bytes - /// Size in bytes of the response body. - /// 887 + /// file.elf.architecture + /// Machine architecture of the ELF file. + /// x86-64 /// - public static string HttpResponseBodyBytes = nameof(HttpResponseBodyBytes); + public static string FileElfArchitecture = nameof(FileElfArchitecture); /// - /// http.response.body.content - /// The full HTTP response body. - /// Hello world + /// file.elf.byte_order + /// Byte sequence of ELF file. + /// Little Endian /// - public static string HttpResponseBodyContent = nameof(HttpResponseBodyContent); + public static string FileElfByteOrder = nameof(FileElfByteOrder); /// - /// http.response.bytes - /// Total size in bytes of the response (body and headers). - /// 1437 + /// file.elf.cpu_type + /// CPU type of the ELF file. + /// Intel /// - public static string HttpResponseBytes = nameof(HttpResponseBytes); + public static string FileElfCpuType = nameof(FileElfCpuType); /// - /// http.response.mime_type - /// Mime type of the body of the response. - /// This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - /// image/gif + /// file.elf.creation_date + /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + /// /// - public static string HttpResponseMimeType = nameof(HttpResponseMimeType); + public static string FileElfCreationDate = nameof(FileElfCreationDate); /// - /// http.response.status_code - /// HTTP response status code. - /// 404 + /// file.elf.go_import_hash + /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string HttpResponseStatusCode = nameof(HttpResponseStatusCode); + public static string FileElfGoImportHash = nameof(FileElfGoImportHash); /// - /// http.version - /// HTTP version. - /// 1.1 + /// file.elf.go_imports + /// List of imported Go language element names and types. + /// /// - public static string HttpVersion = nameof(HttpVersion); + public static string FileElfGoImports = nameof(FileElfGoImports); /// - /// interface.alias - /// Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - /// outside + /// file.elf.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string InterfaceAlias = nameof(InterfaceAlias); + public static string FileElfGoImportsNamesEntropy = nameof(FileElfGoImportsNamesEntropy); /// - /// interface.id - /// Interface ID as reported by an observer (typically SNMP interface ID). - /// 10 + /// file.elf.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// /// - public static string InterfaceId = nameof(InterfaceId); + public static string FileElfGoImportsNamesVarEntropy = nameof(FileElfGoImportsNamesVarEntropy); /// - /// interface.name - /// Interface name as reported by the system. - /// eth0 + /// file.elf.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// /// - public static string InterfaceName = nameof(InterfaceName); + public static string FileElfGoStripped = nameof(FileElfGoStripped); /// - /// log.file.path - /// Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - /// If the event wasn't read from a log file, do not populate this field. - /// /var/log/fun-times.log + /// file.elf.header.abi_version + /// Version of the ELF Application Binary Interface (ABI). + /// /// - public static string LogFilePath = nameof(LogFilePath); + public static string FileElfHeaderAbiVersion = nameof(FileElfHeaderAbiVersion); /// - /// log.level - /// Original log level of the log event. - /// If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - /// Some examples are `warn`, `err`, `i`, `informational`. - /// error + /// file.elf.header.class + /// Header class of the ELF file. + /// /// - public static string LogLevel = nameof(LogLevel); + public static string FileElfHeaderClass = nameof(FileElfHeaderClass); /// - /// log.logger - /// The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - /// org.elasticsearch.bootstrap.Bootstrap + /// file.elf.header.data + /// Data table of the ELF header. + /// /// - public static string LogLogger = nameof(LogLogger); + public static string FileElfHeaderData = nameof(FileElfHeaderData); /// - /// log.origin.file.line - /// The line number of the file containing the source code which originated the log event. - /// 42 + /// file.elf.header.entrypoint + /// Header entrypoint of the ELF file. + /// /// - public static string LogOriginFileLine = nameof(LogOriginFileLine); + public static string FileElfHeaderEntrypoint = nameof(FileElfHeaderEntrypoint); /// - /// log.origin.file.name - /// The name of the file containing the source code which originated the log event. - /// Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. - /// Bootstrap.java + /// file.elf.header.object_version + /// "0x1" for original ELF files. + /// /// - public static string LogOriginFileName = nameof(LogOriginFileName); + public static string FileElfHeaderObjectVersion = nameof(FileElfHeaderObjectVersion); /// - /// log.origin.function - /// The name of the function or method which originated the log event. - /// init + /// file.elf.header.os_abi + /// Application Binary Interface (ABI) of the Linux OS. + /// /// - public static string LogOriginFunction = nameof(LogOriginFunction); + public static string FileElfHeaderOsAbi = nameof(FileElfHeaderOsAbi); /// - /// macho.go_import_hash + /// file.elf.header.type + /// Header type of the ELF file. + /// + /// + public static string FileElfHeaderType = nameof(FileElfHeaderType); + /// + /// file.elf.header.version + /// Version of the ELF header. + /// + /// + public static string FileElfHeaderVersion = nameof(FileElfHeaderVersion); + /// + /// file.elf.import_hash + /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is an ELF implementation of the Windows PE imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string FileElfImportHash = nameof(FileElfImportHash); + /// + /// file.elf.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FileElfImportsNamesEntropy = nameof(FileElfImportsNamesEntropy); + /// + /// file.elf.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string FileElfImportsNamesVarEntropy = nameof(FileElfImportsNamesVarEntropy); + /// + /// file.elf.telfhash + /// telfhash symbol hash for ELF file. + /// + /// + public static string FileElfTelfhash = nameof(FileElfTelfhash); + /// + /// file.macho.go_import_hash /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string MachoGoImportHash = nameof(MachoGoImportHash); + public static string FileMachoGoImportHash = nameof(FileMachoGoImportHash); /// - /// macho.go_imports + /// file.macho.go_imports /// List of imported Go language element names and types. /// /// - public static string MachoGoImports = nameof(MachoGoImports); + public static string FileMachoGoImports = nameof(FileMachoGoImports); /// - /// macho.go_imports_names_entropy + /// file.macho.go_imports_names_entropy /// Shannon entropy calculation from the list of Go imports. /// /// - public static string MachoGoImportsNamesEntropy = nameof(MachoGoImportsNamesEntropy); + public static string FileMachoGoImportsNamesEntropy = nameof(FileMachoGoImportsNamesEntropy); /// - /// macho.go_imports_names_var_entropy + /// file.macho.go_imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string MachoGoImportsNamesVarEntropy = nameof(MachoGoImportsNamesVarEntropy); + public static string FileMachoGoImportsNamesVarEntropy = nameof(FileMachoGoImportsNamesVarEntropy); /// - /// macho.go_stripped + /// file.macho.go_stripped /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string MachoGoStripped = nameof(MachoGoStripped); + public static string FileMachoGoStripped = nameof(FileMachoGoStripped); /// - /// macho.import_hash + /// file.macho.import_hash /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// This is a synonym for symhash. /// d41d8cd98f00b204e9800998ecf8427e /// - public static string MachoImportHash = nameof(MachoImportHash); + public static string FileMachoImportHash = nameof(FileMachoImportHash); /// - /// macho.imports_names_entropy + /// file.macho.imports_names_entropy /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string MachoImportsNamesEntropy = nameof(MachoImportsNamesEntropy); + public static string FileMachoImportsNamesEntropy = nameof(FileMachoImportsNamesEntropy); /// - /// macho.imports_names_var_entropy + /// file.macho.imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string MachoImportsNamesVarEntropy = nameof(MachoImportsNamesVarEntropy); + public static string FileMachoImportsNamesVarEntropy = nameof(FileMachoImportsNamesVarEntropy); /// - /// macho.symhash + /// file.macho.symhash /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// This is a Mach-O implementation of the Windows PE imphash /// d3ccf195b62a9279c3c19af1080497ec /// - public static string MachoSymhash = nameof(MachoSymhash); + public static string FileMachoSymhash = nameof(FileMachoSymhash); /// - /// network.application - /// When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - /// For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - /// The field value must be normalized to lowercase for querying. - /// aim + /// geo.city_name + /// City name. + /// Montreal /// - public static string NetworkApplication = nameof(NetworkApplication); + public static string GeoCityName = nameof(GeoCityName); /// - /// network.bytes - /// Total bytes transferred in both directions. - /// If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - /// 368 + /// geo.continent_code + /// Two-letter code representing continent's name. + /// NA /// - public static string NetworkBytes = nameof(NetworkBytes); + public static string GeoContinentCode = nameof(GeoContinentCode); /// - /// network.community_id - /// A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - /// Learn more at https://github.com/corelight/community-id-spec. - /// 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + /// geo.continent_name + /// Name of the continent. + /// North America /// - public static string NetworkCommunityId = nameof(NetworkCommunityId); + public static string GeoContinentName = nameof(GeoContinentName); /// - /// network.direction - /// Direction of the network traffic. - /// When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - /// When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - /// Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - ///
Expected Values:
- /// - /// ingress - /// egress - /// inbound - /// outbound - /// internal - /// external - /// unknown - ///
- /// inbound + /// geo.country_iso_code + /// Country ISO code. + /// CA ///
- public static string NetworkDirection = nameof(NetworkDirection); + public static string GeoCountryIsoCode = nameof(GeoCountryIsoCode); /// - /// network.forwarded_ip - /// Host IP address when the source IP address is the proxy. - /// 192.1.1.2 + /// geo.country_name + /// Country name. + /// Canada /// - public static string NetworkForwardedIp = nameof(NetworkForwardedIp); + public static string GeoCountryName = nameof(GeoCountryName); /// - /// network.iana_number - /// IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - /// 6 + /// geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } /// - public static string NetworkIanaNumber = nameof(NetworkIanaNumber); + public static string GeoLocation = nameof(GeoLocation); /// - /// network.name - /// Name given by operators to sections of their network. - /// Guest Wifi + /// geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc /// - public static string NetworkName = nameof(NetworkName); + public static string GeoName = nameof(GeoName); /// - /// network.packets - /// Total packets transferred in both directions. - /// If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - /// 24 + /// geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 /// - public static string NetworkPackets = nameof(NetworkPackets); + public static string GeoPostalCode = nameof(GeoPostalCode); /// - /// network.protocol - /// In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - /// The field value must be normalized to lowercase for querying. - /// http + /// geo.region_iso_code + /// Region ISO code. + /// CA-QC /// - public static string NetworkProtocol = nameof(NetworkProtocol); + public static string GeoRegionIsoCode = nameof(GeoRegionIsoCode); /// - /// network.transport - /// Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - /// The field value must be normalized to lowercase for querying. - /// tcp + /// geo.region_name + /// Region name. + /// Quebec /// - public static string NetworkTransport = nameof(NetworkTransport); + public static string GeoRegionName = nameof(GeoRegionName); /// - /// network.type - /// In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - /// The field value must be normalized to lowercase for querying. - /// ipv4 + /// geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires /// - public static string NetworkType = nameof(NetworkType); + public static string GeoTimezone = nameof(GeoTimezone); /// - /// observer.hostname - /// Hostname of the observer. + /// group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. /// /// - public static string ObserverHostname = nameof(ObserverHostname); - /// - /// observer.name - /// Custom name of the observer. - /// This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - /// If no custom name is needed, the field can be left empty. - /// 1_proxySG - /// - public static string ObserverName = nameof(ObserverName); - /// - /// observer.product - /// The product name of the observer. - /// s200 - /// - public static string ObserverProduct = nameof(ObserverProduct); + public static string GroupDomain = nameof(GroupDomain); /// - /// observer.serial_number - /// Observer serial number. + /// group.id + /// Unique identifier for the group on the system/platform. /// /// - public static string ObserverSerialNumber = nameof(ObserverSerialNumber); + public static string GroupId = nameof(GroupId); /// - /// observer.type - /// The type of the observer the data is coming from. - /// There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - /// firewall + /// group.name + /// Name of the group. + /// /// - public static string ObserverType = nameof(ObserverType); + public static string GroupName = nameof(GroupName); /// - /// observer.vendor - /// Vendor name of the observer. - /// Symantec + /// hash.md5 + /// MD5 hash. + /// /// - public static string ObserverVendor = nameof(ObserverVendor); + public static string HashMd5 = nameof(HashMd5); /// - /// observer.version - /// Observer version. + /// hash.sha1 + /// SHA1 hash. /// /// - public static string ObserverVersion = nameof(ObserverVersion); + public static string HashSha1 = nameof(HashSha1); /// - /// orchestrator.api_version - /// API version being used to carry out the action - /// v1beta1 + /// hash.sha256 + /// SHA256 hash. + /// /// - public static string OrchestratorApiVersion = nameof(OrchestratorApiVersion); + public static string HashSha256 = nameof(HashSha256); /// - /// orchestrator.cluster.id - /// Unique ID of the cluster. + /// hash.sha384 + /// SHA384 hash. /// /// - public static string OrchestratorClusterId = nameof(OrchestratorClusterId); + public static string HashSha384 = nameof(HashSha384); /// - /// orchestrator.cluster.name - /// Name of the cluster. + /// hash.sha512 + /// SHA512 hash. /// /// - public static string OrchestratorClusterName = nameof(OrchestratorClusterName); + public static string HashSha512 = nameof(HashSha512); /// - /// orchestrator.cluster.url - /// URL of the API used to manage the cluster. + /// hash.ssdeep + /// SSDEEP hash. /// /// - public static string OrchestratorClusterUrl = nameof(OrchestratorClusterUrl); + public static string HashSsdeep = nameof(HashSsdeep); /// - /// orchestrator.cluster.version - /// The version of the cluster. + /// hash.tlsh + /// TLSH hash. /// /// - public static string OrchestratorClusterVersion = nameof(OrchestratorClusterVersion); + public static string HashTlsh = nameof(HashTlsh); /// - /// orchestrator.namespace - /// Namespace in which the action is taking place. - /// kube-system + /// host.architecture + /// Operating system architecture. + /// x86_64 /// - public static string OrchestratorNamespace = nameof(OrchestratorNamespace); + public static string HostArchitecture = nameof(HostArchitecture); /// - /// orchestrator.organization - /// Organization affected by the event (for multi-tenant orchestrator setups). - /// elastic + /// host.boot.id + /// Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. + ///
This field is beta and subject to change.
+ /// 88a1f0ed-5ae5-41ee-af6b-41921c311872 ///
- public static string OrchestratorOrganization = nameof(OrchestratorOrganization); + public static string HostBootId = nameof(HostBootId); /// - /// orchestrator.resource.id - /// Unique ID of the resource being acted upon. + /// host.cpu.usage + /// Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. + /// Scaling factor: 1000. + /// For example: For a two core host, this value should be the average of the two cores, between 0 and 1. /// /// - public static string OrchestratorResourceId = nameof(OrchestratorResourceId); + public static string HostCpuUsage = nameof(HostCpuUsage); /// - /// orchestrator.resource.name - /// Name of the resource being acted upon. - /// test-pod-cdcws + /// host.disk.read.bytes + /// The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. + /// /// - public static string OrchestratorResourceName = nameof(OrchestratorResourceName); + public static string HostDiskReadBytes = nameof(HostDiskReadBytes); /// - /// orchestrator.resource.parent.type - /// Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). - /// DaemonSet + /// host.disk.write.bytes + /// The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + /// /// - public static string OrchestratorResourceParentType = nameof(OrchestratorResourceParentType); + public static string HostDiskWriteBytes = nameof(HostDiskWriteBytes); /// - /// orchestrator.resource.type - /// Type of resource being acted upon. - /// service + /// host.domain + /// Name of the domain of which the host is a member. + /// For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + /// CONTOSO /// - public static string OrchestratorResourceType = nameof(OrchestratorResourceType); + public static string HostDomain = nameof(HostDomain); /// - /// orchestrator.type - /// Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - /// kubernetes + /// host.hostname + /// Hostname of the host. + /// It normally contains what the `hostname` command returns on the host machine. + /// /// - public static string OrchestratorType = nameof(OrchestratorType); + public static string HostHostname = nameof(HostHostname); /// - /// organization.id - /// Unique identifier for the organization. + /// host.id + /// Unique host id. + /// As hostname is not always unique, use values that are meaningful in your environment. + /// Example: The current usage of `beat.name`. /// /// - public static string OrganizationId = nameof(OrganizationId); + public static string HostId = nameof(HostId); /// - /// organization.name - /// Organization name. + /// host.name + /// Name of the host. + /// It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. /// /// - public static string OrganizationName = nameof(OrganizationName); + public static string HostName = nameof(HostName); /// - /// os.family + /// host.network.egress.bytes + /// The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. + /// + /// + public static string HostNetworkEgressBytes = nameof(HostNetworkEgressBytes); + /// + /// host.network.egress.packets + /// The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. + /// + /// + public static string HostNetworkEgressPackets = nameof(HostNetworkEgressPackets); + /// + /// host.network.ingress.bytes + /// The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. + /// + /// + public static string HostNetworkIngressBytes = nameof(HostNetworkIngressBytes); + /// + /// host.network.ingress.packets + /// The number of packets (gauge) received on all network interfaces by the host since the last metric collection. + /// + /// + public static string HostNetworkIngressPackets = nameof(HostNetworkIngressPackets); + /// + /// host.pid_ns_ino + /// This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. + ///
This field is beta and subject to change.
+ /// 256383 + ///
+ public static string HostPidNsIno = nameof(HostPidNsIno); + /// + /// host.type + /// Type of host. + /// For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + /// + /// + public static string HostType = nameof(HostType); + /// + /// host.uptime + /// Seconds the host has been up. + /// 1325 + /// + public static string HostUptime = nameof(HostUptime); + /// + /// host.geo.city_name + /// City name. + /// Montreal + /// + public static string HostGeoCityName = nameof(HostGeoCityName); + /// + /// host.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string HostGeoContinentCode = nameof(HostGeoContinentCode); + /// + /// host.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string HostGeoContinentName = nameof(HostGeoContinentName); + /// + /// host.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string HostGeoCountryIsoCode = nameof(HostGeoCountryIsoCode); + /// + /// host.geo.country_name + /// Country name. + /// Canada + /// + public static string HostGeoCountryName = nameof(HostGeoCountryName); + /// + /// host.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string HostGeoLocation = nameof(HostGeoLocation); + /// + /// host.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string HostGeoName = nameof(HostGeoName); + /// + /// host.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string HostGeoPostalCode = nameof(HostGeoPostalCode); + /// + /// host.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string HostGeoRegionIsoCode = nameof(HostGeoRegionIsoCode); + /// + /// host.geo.region_name + /// Region name. + /// Quebec + /// + public static string HostGeoRegionName = nameof(HostGeoRegionName); + /// + /// host.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string HostGeoTimezone = nameof(HostGeoTimezone); + /// + /// host.os.family /// OS family (such as redhat, debian, freebsd, windows). /// debian /// - public static string OsFamily = nameof(OsFamily); + public static string HostOsFamily = nameof(HostOsFamily); /// - /// os.full + /// host.os.full /// Operating system name, including the version or code name. /// Mac OS Mojave /// - public static string OsFull = nameof(OsFull); + public static string HostOsFull = nameof(HostOsFull); /// - /// os.kernel + /// host.os.kernel /// Operating system kernel version as a raw string. /// 4.4.0-112-generic /// - public static string OsKernel = nameof(OsKernel); + public static string HostOsKernel = nameof(HostOsKernel); /// - /// os.name + /// host.os.name /// Operating system name, without the version. /// Mac OS X /// - public static string OsName = nameof(OsName); + public static string HostOsName = nameof(HostOsName); /// - /// os.platform + /// host.os.platform /// Operating system platform (such centos, ubuntu, windows). /// darwin /// - public static string OsPlatform = nameof(OsPlatform); + public static string HostOsPlatform = nameof(HostOsPlatform); /// - /// os.type + /// host.os.type /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. ///
Expected Values:
@@ -1916,895 +2582,3820 @@ public static class LogTemplateProperties ///
/// macos ///
- public static string OsType = nameof(OsType); + public static string HostOsType = nameof(HostOsType); /// - /// os.version + /// host.os.version /// Operating system version as a raw string. /// 10.14.1 /// - public static string OsVersion = nameof(OsVersion); + public static string HostOsVersion = nameof(HostOsVersion); /// - /// package.architecture - /// Package architecture. - /// x86_64 + /// host.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High /// - public static string PackageArchitecture = nameof(PackageArchitecture); + public static string HostRiskCalculatedLevel = nameof(HostRiskCalculatedLevel); /// - /// package.build_version - /// Additional information about the build version of the installed package. - /// For example use the commit SHA of a non-released package. - /// 36f4f7e89dd61b0988b12ee000b98966867710cd + /// host.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 /// - public static string PackageBuildVersion = nameof(PackageBuildVersion); + public static string HostRiskCalculatedScore = nameof(HostRiskCalculatedScore); /// - /// package.checksum - /// Checksum of the installed package for verification. - /// 68b329da9893e34099c7d8ad5cb9c940 + /// host.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 /// - public static string PackageChecksum = nameof(PackageChecksum); + public static string HostRiskCalculatedScoreNorm = nameof(HostRiskCalculatedScoreNorm); /// - /// package.description - /// Description of the package. - /// Open source programming language to build simple/reliable/efficient software. + /// host.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High /// - public static string PackageDescription = nameof(PackageDescription); + public static string HostRiskStaticLevel = nameof(HostRiskStaticLevel); /// - /// package.install_scope - /// Indicating how the package was installed, e.g. user-local, global. - /// global + /// host.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 /// - public static string PackageInstallScope = nameof(PackageInstallScope); + public static string HostRiskStaticScore = nameof(HostRiskStaticScore); /// - /// package.installed - /// Time when package was installed. - /// + /// host.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 /// - public static string PackageInstalled = nameof(PackageInstalled); + public static string HostRiskStaticScoreNorm = nameof(HostRiskStaticScoreNorm); /// - /// package.license - /// License under which the package was released. - /// Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). - /// Apache License 2.0 + /// http.request.body.bytes + /// Size in bytes of the request body. + /// 887 /// - public static string PackageLicense = nameof(PackageLicense); + public static string HttpRequestBodyBytes = nameof(HttpRequestBodyBytes); /// - /// package.name - /// Package name - /// go + /// http.request.body.content + /// The full HTTP request body. + /// Hello world /// - public static string PackageName = nameof(PackageName); + public static string HttpRequestBodyContent = nameof(HttpRequestBodyContent); /// - /// package.path - /// Path where the package is installed. - /// /usr/local/Cellar/go/1.12.9/ + /// http.request.bytes + /// Total size in bytes of the request (body and headers). + /// 1437 /// - public static string PackagePath = nameof(PackagePath); + public static string HttpRequestBytes = nameof(HttpRequestBytes); /// - /// package.reference - /// Home page or reference URL of the software in this package, if available. - /// https://golang.org + /// http.request.id + /// A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. + /// The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + /// 123e4567-e89b-12d3-a456-426614174000 /// - public static string PackageReference = nameof(PackageReference); + public static string HttpRequestId = nameof(HttpRequestId); /// - /// package.size - /// Package size in bytes. - /// 62231 + /// http.request.method + /// HTTP request method. + /// The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + /// POST /// - public static string PackageSize = nameof(PackageSize); + public static string HttpRequestMethod = nameof(HttpRequestMethod); /// - /// package.type - /// Type of package. - /// This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - /// rpm + /// http.request.mime_type + /// Mime type of the body of the request. + /// This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + /// image/gif /// - public static string PackageType = nameof(PackageType); + public static string HttpRequestMimeType = nameof(HttpRequestMimeType); /// - /// package.version - /// Package version - /// 1.12.9 + /// http.request.referrer + /// Referrer for this HTTP request. + /// https://blog.example.com/ /// - public static string PackageVersion = nameof(PackageVersion); + public static string HttpRequestReferrer = nameof(HttpRequestReferrer); /// - /// pe.architecture - /// CPU architecture target for the file. - /// x64 - /// - public static string PeArchitecture = nameof(PeArchitecture); + /// http.response.body.bytes + /// Size in bytes of the response body. + /// 887 + ///
+ public static string HttpResponseBodyBytes = nameof(HttpResponseBodyBytes); /// - /// pe.company - /// Internal company name of the file, provided at compile-time. - /// Microsoft Corporation + /// http.response.body.content + /// The full HTTP response body. + /// Hello world /// - public static string PeCompany = nameof(PeCompany); + public static string HttpResponseBodyContent = nameof(HttpResponseBodyContent); /// - /// pe.description - /// Internal description of the file, provided at compile-time. - /// Paint + /// http.response.bytes + /// Total size in bytes of the response (body and headers). + /// 1437 /// - public static string PeDescription = nameof(PeDescription); + public static string HttpResponseBytes = nameof(HttpResponseBytes); /// - /// pe.file_version - /// Internal version of the file, provided at compile-time. - /// 6.3.9600.17415 + /// http.response.mime_type + /// Mime type of the body of the response. + /// This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. + /// image/gif /// - public static string PeFileVersion = nameof(PeFileVersion); + public static string HttpResponseMimeType = nameof(HttpResponseMimeType); /// - /// pe.go_import_hash - /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// http.response.status_code + /// HTTP response status code. + /// 404 + /// + public static string HttpResponseStatusCode = nameof(HttpResponseStatusCode); + /// + /// http.version + /// HTTP version. + /// 1.1 + /// + public static string HttpVersion = nameof(HttpVersion); + /// + /// interface.alias + /// Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + /// outside + /// + public static string InterfaceAlias = nameof(InterfaceAlias); + /// + /// interface.id + /// Interface ID as reported by an observer (typically SNMP interface ID). + /// 10 + /// + public static string InterfaceId = nameof(InterfaceId); + /// + /// interface.name + /// Interface name as reported by the system. + /// eth0 + /// + public static string InterfaceName = nameof(InterfaceName); + /// + /// log.file.path + /// Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + /// If the event wasn't read from a log file, do not populate this field. + /// /var/log/fun-times.log + /// + public static string LogFilePath = nameof(LogFilePath); + /// + /// log.level + /// Original log level of the log event. + /// If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + /// Some examples are `warn`, `err`, `i`, `informational`. + /// error + /// + public static string LogLevel = nameof(LogLevel); + /// + /// log.logger + /// The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + /// org.elasticsearch.bootstrap.Bootstrap + /// + public static string LogLogger = nameof(LogLogger); + /// + /// log.origin.file.line + /// The line number of the file containing the source code which originated the log event. + /// 42 + /// + public static string LogOriginFileLine = nameof(LogOriginFileLine); + /// + /// log.origin.file.name + /// The name of the file containing the source code which originated the log event. + /// Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + /// Bootstrap.java + /// + public static string LogOriginFileName = nameof(LogOriginFileName); + /// + /// log.origin.function + /// The name of the function or method which originated the log event. + /// init + /// + public static string LogOriginFunction = nameof(LogOriginFunction); + /// + /// macho.go_import_hash + /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string PeGoImportHash = nameof(PeGoImportHash); + public static string MachoGoImportHash = nameof(MachoGoImportHash); /// - /// pe.go_imports + /// macho.go_imports /// List of imported Go language element names and types. /// /// - public static string PeGoImports = nameof(PeGoImports); + public static string MachoGoImports = nameof(MachoGoImports); /// - /// pe.go_imports_names_entropy + /// macho.go_imports_names_entropy /// Shannon entropy calculation from the list of Go imports. /// /// - public static string PeGoImportsNamesEntropy = nameof(PeGoImportsNamesEntropy); + public static string MachoGoImportsNamesEntropy = nameof(MachoGoImportsNamesEntropy); /// - /// pe.go_imports_names_var_entropy + /// macho.go_imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string PeGoImportsNamesVarEntropy = nameof(PeGoImportsNamesVarEntropy); + public static string MachoGoImportsNamesVarEntropy = nameof(MachoGoImportsNamesVarEntropy); /// - /// pe.go_stripped + /// macho.go_stripped /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string PeGoStripped = nameof(PeGoStripped); - /// - /// pe.imphash - /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - /// 0c6803c4e922103c4dca5963aad36ddf - /// - public static string PeImphash = nameof(PeImphash); + public static string MachoGoStripped = nameof(MachoGoStripped); /// - /// pe.import_hash - /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - /// This is a synonym for imphash. + /// macho.import_hash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for symhash. /// d41d8cd98f00b204e9800998ecf8427e /// - public static string PeImportHash = nameof(PeImportHash); + public static string MachoImportHash = nameof(MachoImportHash); /// - /// pe.imports_names_entropy + /// macho.imports_names_entropy /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string PeImportsNamesEntropy = nameof(PeImportsNamesEntropy); + public static string MachoImportsNamesEntropy = nameof(MachoImportsNamesEntropy); /// - /// pe.imports_names_var_entropy + /// macho.imports_names_var_entropy /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string PeImportsNamesVarEntropy = nameof(PeImportsNamesVarEntropy); + public static string MachoImportsNamesVarEntropy = nameof(MachoImportsNamesVarEntropy); /// - /// pe.original_file_name - /// Internal name of the file, provided at compile-time. - /// MSPAINT.EXE + /// macho.symhash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a Mach-O implementation of the Windows PE imphash + /// d3ccf195b62a9279c3c19af1080497ec /// - public static string PeOriginalFileName = nameof(PeOriginalFileName); + public static string MachoSymhash = nameof(MachoSymhash); /// - /// pe.pehash - /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. - /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. - /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// network.application + /// When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + /// For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + /// The field value must be normalized to lowercase for querying. + /// aim /// - public static string PePehash = nameof(PePehash); + public static string NetworkApplication = nameof(NetworkApplication); /// - /// pe.product - /// Internal product name of the file, provided at compile-time. - /// Microsoft® Windows® Operating System + /// network.bytes + /// Total bytes transferred in both directions. + /// If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + /// 368 /// - public static string PeProduct = nameof(PeProduct); + public static string NetworkBytes = nameof(NetworkBytes); /// - /// process.args_count - /// Length of the process.args array. - /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - /// 4 + /// network.community_id + /// A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + /// Learn more at https://github.com/corelight/community-id-spec. + /// 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= /// - public static string ProcessArgsCount = nameof(ProcessArgsCount); + public static string NetworkCommunityId = nameof(NetworkCommunityId); /// - /// process.command_line - /// Full command line that started the process, including the absolute path to the executable, and all arguments. - /// Some arguments may be filtered to protect sensitive information. - /// /usr/bin/ssh -l user 10.0.0.16 + /// network.direction + /// Direction of the network traffic. + /// When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + /// When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + /// Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + ///
Expected Values:
+ /// + /// ingress + /// egress + /// inbound + /// outbound + /// internal + /// external + /// unknown + ///
+ /// inbound ///
- public static string ProcessCommandLine = nameof(ProcessCommandLine); + public static string NetworkDirection = nameof(NetworkDirection); /// - /// process.end - /// The time the process ended. - /// 5/23/2016 8:05:34AM + /// network.forwarded_ip + /// Host IP address when the source IP address is the proxy. + /// 192.1.1.2 /// - public static string ProcessEnd = nameof(ProcessEnd); + public static string NetworkForwardedIp = nameof(NetworkForwardedIp); /// - /// process.entity_id - /// Unique identifier for the process. - /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - /// c2c455d9f99375d + /// network.iana_number + /// IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + /// 6 /// - public static string ProcessEntityId = nameof(ProcessEntityId); + public static string NetworkIanaNumber = nameof(NetworkIanaNumber); /// - /// process.executable - /// Absolute path to the process executable. - /// /usr/bin/ssh + /// network.name + /// Name given by operators to sections of their network. + /// Guest Wifi /// - public static string ProcessExecutable = nameof(ProcessExecutable); + public static string NetworkName = nameof(NetworkName); /// - /// process.exit_code - /// The exit code of the process, if this is a termination event. - /// The field should be absent if there is no exit code for the event (e.g. process start). - /// 137 + /// network.packets + /// Total packets transferred in both directions. + /// If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + /// 24 /// - public static string ProcessExitCode = nameof(ProcessExitCode); + public static string NetworkPackets = nameof(NetworkPackets); /// - /// process.interactive - /// Whether the process is connected to an interactive shell. - /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. - /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. - /// true + /// network.protocol + /// In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + /// The field value must be normalized to lowercase for querying. + /// http /// - public static string ProcessInteractive = nameof(ProcessInteractive); + public static string NetworkProtocol = nameof(NetworkProtocol); /// - /// process.name - /// Process name. - /// Sometimes called program name or similar. + /// network.transport + /// Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + /// The field value must be normalized to lowercase for querying. + /// tcp + /// + public static string NetworkTransport = nameof(NetworkTransport); + /// + /// network.type + /// In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + /// The field value must be normalized to lowercase for querying. + /// ipv4 + /// + public static string NetworkType = nameof(NetworkType); + /// + /// network.vlan.id + /// VLAN ID as reported by the observer. + /// 10 + /// + public static string NetworkVlanId = nameof(NetworkVlanId); + /// + /// network.vlan.name + /// Optional VLAN name as reported by the observer. + /// outside + /// + public static string NetworkVlanName = nameof(NetworkVlanName); + /// + /// observer.hostname + /// Hostname of the observer. + /// + /// + public static string ObserverHostname = nameof(ObserverHostname); + /// + /// observer.name + /// Custom name of the observer. + /// This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + /// If no custom name is needed, the field can be left empty. + /// 1_proxySG + /// + public static string ObserverName = nameof(ObserverName); + /// + /// observer.product + /// The product name of the observer. + /// s200 + /// + public static string ObserverProduct = nameof(ObserverProduct); + /// + /// observer.serial_number + /// Observer serial number. + /// + /// + public static string ObserverSerialNumber = nameof(ObserverSerialNumber); + /// + /// observer.type + /// The type of the observer the data is coming from. + /// There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + /// firewall + /// + public static string ObserverType = nameof(ObserverType); + /// + /// observer.vendor + /// Vendor name of the observer. + /// Symantec + /// + public static string ObserverVendor = nameof(ObserverVendor); + /// + /// observer.version + /// Observer version. + /// + /// + public static string ObserverVersion = nameof(ObserverVersion); + /// + /// observer.geo.city_name + /// City name. + /// Montreal + /// + public static string ObserverGeoCityName = nameof(ObserverGeoCityName); + /// + /// observer.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ObserverGeoContinentCode = nameof(ObserverGeoContinentCode); + /// + /// observer.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ObserverGeoContinentName = nameof(ObserverGeoContinentName); + /// + /// observer.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ObserverGeoCountryIsoCode = nameof(ObserverGeoCountryIsoCode); + /// + /// observer.geo.country_name + /// Country name. + /// Canada + /// + public static string ObserverGeoCountryName = nameof(ObserverGeoCountryName); + /// + /// observer.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ObserverGeoLocation = nameof(ObserverGeoLocation); + /// + /// observer.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ObserverGeoName = nameof(ObserverGeoName); + /// + /// observer.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ObserverGeoPostalCode = nameof(ObserverGeoPostalCode); + /// + /// observer.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ObserverGeoRegionIsoCode = nameof(ObserverGeoRegionIsoCode); + /// + /// observer.geo.region_name + /// Region name. + /// Quebec + /// + public static string ObserverGeoRegionName = nameof(ObserverGeoRegionName); + /// + /// observer.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ObserverGeoTimezone = nameof(ObserverGeoTimezone); + /// + /// observer.os.family + /// OS family (such as redhat, debian, freebsd, windows). + /// debian + /// + public static string ObserverOsFamily = nameof(ObserverOsFamily); + /// + /// observer.os.full + /// Operating system name, including the version or code name. + /// Mac OS Mojave + /// + public static string ObserverOsFull = nameof(ObserverOsFull); + /// + /// observer.os.kernel + /// Operating system kernel version as a raw string. + /// 4.4.0-112-generic + /// + public static string ObserverOsKernel = nameof(ObserverOsKernel); + /// + /// observer.os.name + /// Operating system name, without the version. + /// Mac OS X + /// + public static string ObserverOsName = nameof(ObserverOsName); + /// + /// observer.os.platform + /// Operating system platform (such centos, ubuntu, windows). + /// darwin + /// + public static string ObserverOsPlatform = nameof(ObserverOsPlatform); + /// + /// observer.os.type + /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. + /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + ///
Expected Values:
+ /// + /// linux + /// macos + /// unix + /// windows + /// ios + /// android + ///
+ /// macos + ///
+ public static string ObserverOsType = nameof(ObserverOsType); + /// + /// observer.os.version + /// Operating system version as a raw string. + /// 10.14.1 + /// + public static string ObserverOsVersion = nameof(ObserverOsVersion); + /// + /// orchestrator.api_version + /// API version being used to carry out the action + /// v1beta1 + /// + public static string OrchestratorApiVersion = nameof(OrchestratorApiVersion); + /// + /// orchestrator.cluster.id + /// Unique ID of the cluster. + /// + /// + public static string OrchestratorClusterId = nameof(OrchestratorClusterId); + /// + /// orchestrator.cluster.name + /// Name of the cluster. + /// + /// + public static string OrchestratorClusterName = nameof(OrchestratorClusterName); + /// + /// orchestrator.cluster.url + /// URL of the API used to manage the cluster. + /// + /// + public static string OrchestratorClusterUrl = nameof(OrchestratorClusterUrl); + /// + /// orchestrator.cluster.version + /// The version of the cluster. + /// + /// + public static string OrchestratorClusterVersion = nameof(OrchestratorClusterVersion); + /// + /// orchestrator.namespace + /// Namespace in which the action is taking place. + /// kube-system + /// + public static string OrchestratorNamespace = nameof(OrchestratorNamespace); + /// + /// orchestrator.organization + /// Organization affected by the event (for multi-tenant orchestrator setups). + /// elastic + /// + public static string OrchestratorOrganization = nameof(OrchestratorOrganization); + /// + /// orchestrator.resource.id + /// Unique ID of the resource being acted upon. + /// + /// + public static string OrchestratorResourceId = nameof(OrchestratorResourceId); + /// + /// orchestrator.resource.name + /// Name of the resource being acted upon. + /// test-pod-cdcws + /// + public static string OrchestratorResourceName = nameof(OrchestratorResourceName); + /// + /// orchestrator.resource.parent.type + /// Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). + /// DaemonSet + /// + public static string OrchestratorResourceParentType = nameof(OrchestratorResourceParentType); + /// + /// orchestrator.resource.type + /// Type of resource being acted upon. + /// service + /// + public static string OrchestratorResourceType = nameof(OrchestratorResourceType); + /// + /// orchestrator.type + /// Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). + /// kubernetes + /// + public static string OrchestratorType = nameof(OrchestratorType); + /// + /// organization.id + /// Unique identifier for the organization. + /// + /// + public static string OrganizationId = nameof(OrganizationId); + /// + /// organization.name + /// Organization name. + /// + /// + public static string OrganizationName = nameof(OrganizationName); + /// + /// os.family + /// OS family (such as redhat, debian, freebsd, windows). + /// debian + /// + public static string OsFamily = nameof(OsFamily); + /// + /// os.full + /// Operating system name, including the version or code name. + /// Mac OS Mojave + /// + public static string OsFull = nameof(OsFull); + /// + /// os.kernel + /// Operating system kernel version as a raw string. + /// 4.4.0-112-generic + /// + public static string OsKernel = nameof(OsKernel); + /// + /// os.name + /// Operating system name, without the version. + /// Mac OS X + /// + public static string OsName = nameof(OsName); + /// + /// os.platform + /// Operating system platform (such centos, ubuntu, windows). + /// darwin + /// + public static string OsPlatform = nameof(OsPlatform); + /// + /// os.type + /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. + /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + ///
Expected Values:
+ /// + /// linux + /// macos + /// unix + /// windows + /// ios + /// android + ///
+ /// macos + ///
+ public static string OsType = nameof(OsType); + /// + /// os.version + /// Operating system version as a raw string. + /// 10.14.1 + /// + public static string OsVersion = nameof(OsVersion); + /// + /// package.architecture + /// Package architecture. + /// x86_64 + /// + public static string PackageArchitecture = nameof(PackageArchitecture); + /// + /// package.build_version + /// Additional information about the build version of the installed package. + /// For example use the commit SHA of a non-released package. + /// 36f4f7e89dd61b0988b12ee000b98966867710cd + /// + public static string PackageBuildVersion = nameof(PackageBuildVersion); + /// + /// package.checksum + /// Checksum of the installed package for verification. + /// 68b329da9893e34099c7d8ad5cb9c940 + /// + public static string PackageChecksum = nameof(PackageChecksum); + /// + /// package.description + /// Description of the package. + /// Open source programming language to build simple/reliable/efficient software. + /// + public static string PackageDescription = nameof(PackageDescription); + /// + /// package.install_scope + /// Indicating how the package was installed, e.g. user-local, global. + /// global + /// + public static string PackageInstallScope = nameof(PackageInstallScope); + /// + /// package.installed + /// Time when package was installed. + /// + /// + public static string PackageInstalled = nameof(PackageInstalled); + /// + /// package.license + /// License under which the package was released. + /// Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + /// Apache License 2.0 + /// + public static string PackageLicense = nameof(PackageLicense); + /// + /// package.name + /// Package name + /// go + /// + public static string PackageName = nameof(PackageName); + /// + /// package.path + /// Path where the package is installed. + /// /usr/local/Cellar/go/1.12.9/ + /// + public static string PackagePath = nameof(PackagePath); + /// + /// package.reference + /// Home page or reference URL of the software in this package, if available. + /// https://golang.org + /// + public static string PackageReference = nameof(PackageReference); + /// + /// package.size + /// Package size in bytes. + /// 62231 + /// + public static string PackageSize = nameof(PackageSize); + /// + /// package.type + /// Type of package. + /// This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + /// rpm + /// + public static string PackageType = nameof(PackageType); + /// + /// package.version + /// Package version + /// 1.12.9 + /// + public static string PackageVersion = nameof(PackageVersion); + /// + /// pe.architecture + /// CPU architecture target for the file. + /// x64 + /// + public static string PeArchitecture = nameof(PeArchitecture); + /// + /// pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation + /// + public static string PeCompany = nameof(PeCompany); + /// + /// pe.description + /// Internal description of the file, provided at compile-time. + /// Paint + /// + public static string PeDescription = nameof(PeDescription); + /// + /// pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 + /// + public static string PeFileVersion = nameof(PeFileVersion); + /// + /// pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string PeGoImportHash = nameof(PeGoImportHash); + /// + /// pe.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string PeGoImports = nameof(PeGoImports); + /// + /// pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string PeGoImportsNamesEntropy = nameof(PeGoImportsNamesEntropy); + /// + /// pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string PeGoImportsNamesVarEntropy = nameof(PeGoImportsNamesVarEntropy); + /// + /// pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string PeGoStripped = nameof(PeGoStripped); + /// + /// pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf + /// + public static string PeImphash = nameof(PeImphash); + /// + /// pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string PeImportHash = nameof(PeImportHash); + /// + /// pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string PeImportsNamesEntropy = nameof(PeImportsNamesEntropy); + /// + /// pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string PeImportsNamesVarEntropy = nameof(PeImportsNamesVarEntropy); + /// + /// pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE + /// + public static string PeOriginalFileName = nameof(PeOriginalFileName); + /// + /// pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// + public static string PePehash = nameof(PePehash); + /// + /// pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System + /// + public static string PeProduct = nameof(PeProduct); + /// + /// process.args_count + /// Length of the process.args array. + /// This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + /// 4 + /// + public static string ProcessArgsCount = nameof(ProcessArgsCount); + /// + /// process.command_line + /// Full command line that started the process, including the absolute path to the executable, and all arguments. + /// Some arguments may be filtered to protect sensitive information. + /// /usr/bin/ssh -l user 10.0.0.16 + /// + public static string ProcessCommandLine = nameof(ProcessCommandLine); + /// + /// process.end + /// The time the process ended. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessEnd = nameof(ProcessEnd); + /// + /// process.entity_id + /// Unique identifier for the process. + /// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + /// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + /// c2c455d9f99375d + /// + public static string ProcessEntityId = nameof(ProcessEntityId); + /// + /// process.executable + /// Absolute path to the process executable. + /// /usr/bin/ssh + /// + public static string ProcessExecutable = nameof(ProcessExecutable); + /// + /// process.exit_code + /// The exit code of the process, if this is a termination event. + /// The field should be absent if there is no exit code for the event (e.g. process start). + /// 137 + /// + public static string ProcessExitCode = nameof(ProcessExitCode); + /// + /// process.interactive + /// Whether the process is connected to an interactive shell. + /// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + /// Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + /// true + /// + public static string ProcessInteractive = nameof(ProcessInteractive); + /// + /// process.name + /// Process name. + /// Sometimes called program name or similar. /// ssh /// - public static string ProcessName = nameof(ProcessName); + public static string ProcessName = nameof(ProcessName); + /// + /// process.pgid + /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + /// Identifier of the group of processes the process belongs to. + /// + /// + public static string ProcessPgid = nameof(ProcessPgid); + /// + /// process.pid + /// Process id. + /// 4242 + /// + public static string ProcessPid = nameof(ProcessPid); + /// + /// process.start + /// The time the process started. + /// 5/23/2016 8:05:34 AM + /// + public static string ProcessStart = nameof(ProcessStart); + /// + /// process.thread.id + /// Thread ID. + /// 4242 + /// + public static string ProcessThreadId = nameof(ProcessThreadId); + /// + /// process.thread.name + /// Thread name. + /// thread-0 + /// + public static string ProcessThreadName = nameof(ProcessThreadName); + /// + /// process.title + /// Process title. + /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// + /// + public static string ProcessTitle = nameof(ProcessTitle); + /// + /// process.uptime + /// Seconds the process has been up. + /// 1325 + /// + public static string ProcessUptime = nameof(ProcessUptime); + /// + /// process.vpid + /// Virtual process id. + /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. + /// 4242 + /// + public static string ProcessVpid = nameof(ProcessVpid); + /// + /// process.working_directory + /// The working directory of the process. + /// /home/alice + /// + public static string ProcessWorkingDirectory = nameof(ProcessWorkingDirectory); + /// + /// process.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessGroupDomain = nameof(ProcessGroupDomain); + /// + /// process.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessGroupId = nameof(ProcessGroupId); + /// + /// process.group.name + /// Name of the group. + /// + /// + public static string ProcessGroupName = nameof(ProcessGroupName); + /// + /// process.real_group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessRealGroupDomain = nameof(ProcessRealGroupDomain); + /// + /// process.real_group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessRealGroupId = nameof(ProcessRealGroupId); + /// + /// process.real_group.name + /// Name of the group. + /// + /// + public static string ProcessRealGroupName = nameof(ProcessRealGroupName); + /// + /// process.saved_group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessSavedGroupDomain = nameof(ProcessSavedGroupDomain); + /// + /// process.saved_group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessSavedGroupId = nameof(ProcessSavedGroupId); + /// + /// process.saved_group.name + /// Name of the group. + /// + /// + public static string ProcessSavedGroupName = nameof(ProcessSavedGroupName); + /// + /// process.hash.md5 + /// MD5 hash. + /// + /// + public static string ProcessHashMd5 = nameof(ProcessHashMd5); + /// + /// process.hash.sha1 + /// SHA1 hash. + /// + /// + public static string ProcessHashSha1 = nameof(ProcessHashSha1); + /// + /// process.hash.sha256 + /// SHA256 hash. + /// + /// + public static string ProcessHashSha256 = nameof(ProcessHashSha256); + /// + /// process.hash.sha384 + /// SHA384 hash. + /// + /// + public static string ProcessHashSha384 = nameof(ProcessHashSha384); + /// + /// process.hash.sha512 + /// SHA512 hash. + /// + /// + public static string ProcessHashSha512 = nameof(ProcessHashSha512); + /// + /// process.hash.ssdeep + /// SSDEEP hash. + /// + /// + public static string ProcessHashSsdeep = nameof(ProcessHashSsdeep); + /// + /// process.hash.tlsh + /// TLSH hash. + /// + /// + public static string ProcessHashTlsh = nameof(ProcessHashTlsh); + /// + /// process.pe.architecture + /// CPU architecture target for the file. + /// x64 + /// + public static string ProcessPeArchitecture = nameof(ProcessPeArchitecture); + /// + /// process.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation + /// + public static string ProcessPeCompany = nameof(ProcessPeCompany); + /// + /// process.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint + /// + public static string ProcessPeDescription = nameof(ProcessPeDescription); + /// + /// process.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 + /// + public static string ProcessPeFileVersion = nameof(ProcessPeFileVersion); + /// + /// process.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string ProcessPeGoImportHash = nameof(ProcessPeGoImportHash); + /// + /// process.pe.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string ProcessPeGoImports = nameof(ProcessPeGoImports); + /// + /// process.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessPeGoImportsNamesEntropy = nameof(ProcessPeGoImportsNamesEntropy); + /// + /// process.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessPeGoImportsNamesVarEntropy = nameof(ProcessPeGoImportsNamesVarEntropy); + /// + /// process.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string ProcessPeGoStripped = nameof(ProcessPeGoStripped); + /// + /// process.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf + /// + public static string ProcessPeImphash = nameof(ProcessPeImphash); + /// + /// process.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string ProcessPeImportHash = nameof(ProcessPeImportHash); + /// + /// process.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessPeImportsNamesEntropy = nameof(ProcessPeImportsNamesEntropy); + /// + /// process.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessPeImportsNamesVarEntropy = nameof(ProcessPeImportsNamesVarEntropy); + /// + /// process.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE + /// + public static string ProcessPeOriginalFileName = nameof(ProcessPeOriginalFileName); + /// + /// process.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 + /// + public static string ProcessPePehash = nameof(ProcessPePehash); + /// + /// process.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System + /// + public static string ProcessPeProduct = nameof(ProcessPeProduct); + /// + /// process.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 + /// + public static string ProcessCodeSignatureDigestAlgorithm = nameof(ProcessCodeSignatureDigestAlgorithm); + /// + /// process.code_signature.exists + /// Boolean to capture if a signature is present. + /// true + /// + public static string ProcessCodeSignatureExists = nameof(ProcessCodeSignatureExists); + /// + /// process.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy + /// + public static string ProcessCodeSignatureSigningId = nameof(ProcessCodeSignatureSigningId); + /// + /// process.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT + /// + public static string ProcessCodeSignatureStatus = nameof(ProcessCodeSignatureStatus); + /// + /// process.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation + /// + public static string ProcessCodeSignatureSubjectName = nameof(ProcessCodeSignatureSubjectName); + /// + /// process.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV + /// + public static string ProcessCodeSignatureTeamId = nameof(ProcessCodeSignatureTeamId); + /// + /// process.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM + /// + public static string ProcessCodeSignatureTimestamp = nameof(ProcessCodeSignatureTimestamp); + /// + /// process.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true + /// + public static string ProcessCodeSignatureTrusted = nameof(ProcessCodeSignatureTrusted); + /// + /// process.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true + /// + public static string ProcessCodeSignatureValid = nameof(ProcessCodeSignatureValid); + /// + /// process.elf.architecture + /// Machine architecture of the ELF file. + /// x86-64 + /// + public static string ProcessElfArchitecture = nameof(ProcessElfArchitecture); + /// + /// process.elf.byte_order + /// Byte sequence of ELF file. + /// Little Endian + /// + public static string ProcessElfByteOrder = nameof(ProcessElfByteOrder); + /// + /// process.elf.cpu_type + /// CPU type of the ELF file. + /// Intel + /// + public static string ProcessElfCpuType = nameof(ProcessElfCpuType); + /// + /// process.elf.creation_date + /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + /// + /// + public static string ProcessElfCreationDate = nameof(ProcessElfCreationDate); + /// + /// process.elf.go_import_hash + /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string ProcessElfGoImportHash = nameof(ProcessElfGoImportHash); + /// + /// process.elf.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string ProcessElfGoImports = nameof(ProcessElfGoImports); + /// + /// process.elf.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessElfGoImportsNamesEntropy = nameof(ProcessElfGoImportsNamesEntropy); + /// + /// process.elf.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessElfGoImportsNamesVarEntropy = nameof(ProcessElfGoImportsNamesVarEntropy); + /// + /// process.elf.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string ProcessElfGoStripped = nameof(ProcessElfGoStripped); + /// + /// process.elf.header.abi_version + /// Version of the ELF Application Binary Interface (ABI). + /// + /// + public static string ProcessElfHeaderAbiVersion = nameof(ProcessElfHeaderAbiVersion); + /// + /// process.elf.header.class + /// Header class of the ELF file. + /// + /// + public static string ProcessElfHeaderClass = nameof(ProcessElfHeaderClass); + /// + /// process.elf.header.data + /// Data table of the ELF header. + /// + /// + public static string ProcessElfHeaderData = nameof(ProcessElfHeaderData); + /// + /// process.elf.header.entrypoint + /// Header entrypoint of the ELF file. + /// + /// + public static string ProcessElfHeaderEntrypoint = nameof(ProcessElfHeaderEntrypoint); + /// + /// process.elf.header.object_version + /// "0x1" for original ELF files. + /// + /// + public static string ProcessElfHeaderObjectVersion = nameof(ProcessElfHeaderObjectVersion); + /// + /// process.elf.header.os_abi + /// Application Binary Interface (ABI) of the Linux OS. + /// + /// + public static string ProcessElfHeaderOsAbi = nameof(ProcessElfHeaderOsAbi); + /// + /// process.elf.header.type + /// Header type of the ELF file. + /// + /// + public static string ProcessElfHeaderType = nameof(ProcessElfHeaderType); + /// + /// process.elf.header.version + /// Version of the ELF header. + /// + /// + public static string ProcessElfHeaderVersion = nameof(ProcessElfHeaderVersion); + /// + /// process.elf.import_hash + /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is an ELF implementation of the Windows PE imphash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string ProcessElfImportHash = nameof(ProcessElfImportHash); + /// + /// process.elf.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessElfImportsNamesEntropy = nameof(ProcessElfImportsNamesEntropy); + /// + /// process.elf.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessElfImportsNamesVarEntropy = nameof(ProcessElfImportsNamesVarEntropy); + /// + /// process.elf.telfhash + /// telfhash symbol hash for ELF file. + /// + /// + public static string ProcessElfTelfhash = nameof(ProcessElfTelfhash); + /// + /// process.macho.go_import_hash + /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 + /// + public static string ProcessMachoGoImportHash = nameof(ProcessMachoGoImportHash); + /// + /// process.macho.go_imports + /// List of imported Go language element names and types. + /// + /// + public static string ProcessMachoGoImports = nameof(ProcessMachoGoImports); + /// + /// process.macho.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessMachoGoImportsNamesEntropy = nameof(ProcessMachoGoImportsNamesEntropy); + /// + /// process.macho.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// + /// + public static string ProcessMachoGoImportsNamesVarEntropy = nameof(ProcessMachoGoImportsNamesVarEntropy); + /// + /// process.macho.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// + /// + public static string ProcessMachoGoStripped = nameof(ProcessMachoGoStripped); + /// + /// process.macho.import_hash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for symhash. + /// d41d8cd98f00b204e9800998ecf8427e + /// + public static string ProcessMachoImportHash = nameof(ProcessMachoImportHash); + /// + /// process.macho.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessMachoImportsNamesEntropy = nameof(ProcessMachoImportsNamesEntropy); + /// + /// process.macho.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// + /// + public static string ProcessMachoImportsNamesVarEntropy = nameof(ProcessMachoImportsNamesVarEntropy); + /// + /// process.macho.symhash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a Mach-O implementation of the Windows PE imphash + /// d3ccf195b62a9279c3c19af1080497ec + /// + public static string ProcessMachoSymhash = nameof(ProcessMachoSymhash); + /// + /// process.entry_meta.source.address + /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// + /// + public static string ProcessEntryMetaSourceAddress = nameof(ProcessEntryMetaSourceAddress); + /// + /// process.entry_meta.source.bytes + /// Bytes sent from the source to the destination. + /// 184 + /// + public static string ProcessEntryMetaSourceBytes = nameof(ProcessEntryMetaSourceBytes); + /// + /// process.entry_meta.source.domain + /// The domain name of the source system. + /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + /// foo.example.com + /// + public static string ProcessEntryMetaSourceDomain = nameof(ProcessEntryMetaSourceDomain); + /// + /// process.entry_meta.source.ip + /// IP address of the source (IPv4 or IPv6). + /// + /// + public static string ProcessEntryMetaSourceIp = nameof(ProcessEntryMetaSourceIp); + /// + /// process.entry_meta.source.mac + /// MAC address of the source. + /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + /// pattern: + /// 00-00-5E-00-53-23 + /// + public static string ProcessEntryMetaSourceMac = nameof(ProcessEntryMetaSourceMac); + /// + /// process.entry_meta.source.nat.ip + /// Translated ip of source based NAT sessions (e.g. internal client to internet) + /// Typically connections traversing load balancers, firewalls, or routers. + /// + /// + public static string ProcessEntryMetaSourceNatIp = nameof(ProcessEntryMetaSourceNatIp); + /// + /// process.entry_meta.source.nat.port + /// Translated port of source based NAT sessions. (e.g. internal client to internet) + /// Typically used with load balancers, firewalls, or routers. + /// + /// + public static string ProcessEntryMetaSourceNatPort = nameof(ProcessEntryMetaSourceNatPort); + /// + /// process.entry_meta.source.packets + /// Packets sent from the source to the destination. + /// 12 + /// + public static string ProcessEntryMetaSourcePackets = nameof(ProcessEntryMetaSourcePackets); + /// + /// process.entry_meta.source.port + /// Port of the source. + /// + /// + public static string ProcessEntryMetaSourcePort = nameof(ProcessEntryMetaSourcePort); + /// + /// process.entry_meta.source.registered_domain + /// The highest registered source domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com + /// + public static string ProcessEntryMetaSourceRegisteredDomain = nameof(ProcessEntryMetaSourceRegisteredDomain); + /// + /// process.entry_meta.source.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east + /// + public static string ProcessEntryMetaSourceSubdomain = nameof(ProcessEntryMetaSourceSubdomain); + /// + /// process.entry_meta.source.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk + /// + public static string ProcessEntryMetaSourceTopLevelDomain = nameof(ProcessEntryMetaSourceTopLevelDomain); + /// + /// process.entry_meta.source.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string ProcessEntryMetaSourceAsNumber = nameof(ProcessEntryMetaSourceAsNumber); + /// + /// process.entry_meta.source.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string ProcessEntryMetaSourceAsOrganizationName = nameof(ProcessEntryMetaSourceAsOrganizationName); + /// + /// process.entry_meta.source.geo.city_name + /// City name. + /// Montreal + /// + public static string ProcessEntryMetaSourceGeoCityName = nameof(ProcessEntryMetaSourceGeoCityName); + /// + /// process.entry_meta.source.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ProcessEntryMetaSourceGeoContinentCode = nameof(ProcessEntryMetaSourceGeoContinentCode); + /// + /// process.entry_meta.source.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ProcessEntryMetaSourceGeoContinentName = nameof(ProcessEntryMetaSourceGeoContinentName); + /// + /// process.entry_meta.source.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ProcessEntryMetaSourceGeoCountryIsoCode = nameof(ProcessEntryMetaSourceGeoCountryIsoCode); + /// + /// process.entry_meta.source.geo.country_name + /// Country name. + /// Canada + /// + public static string ProcessEntryMetaSourceGeoCountryName = nameof(ProcessEntryMetaSourceGeoCountryName); + /// + /// process.entry_meta.source.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ProcessEntryMetaSourceGeoLocation = nameof(ProcessEntryMetaSourceGeoLocation); + /// + /// process.entry_meta.source.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ProcessEntryMetaSourceGeoName = nameof(ProcessEntryMetaSourceGeoName); + /// + /// process.entry_meta.source.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ProcessEntryMetaSourceGeoPostalCode = nameof(ProcessEntryMetaSourceGeoPostalCode); + /// + /// process.entry_meta.source.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ProcessEntryMetaSourceGeoRegionIsoCode = nameof(ProcessEntryMetaSourceGeoRegionIsoCode); + /// + /// process.entry_meta.source.geo.region_name + /// Region name. + /// Quebec + /// + public static string ProcessEntryMetaSourceGeoRegionName = nameof(ProcessEntryMetaSourceGeoRegionName); + /// + /// process.entry_meta.source.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ProcessEntryMetaSourceGeoTimezone = nameof(ProcessEntryMetaSourceGeoTimezone); + /// + /// process.entry_meta.source.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessEntryMetaSourceUserDomain = nameof(ProcessEntryMetaSourceUserDomain); + /// + /// process.entry_meta.source.user.email + /// User email address. + /// + /// + public static string ProcessEntryMetaSourceUserEmail = nameof(ProcessEntryMetaSourceUserEmail); + /// + /// process.entry_meta.source.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessEntryMetaSourceUserFullName = nameof(ProcessEntryMetaSourceUserFullName); + /// + /// process.entry_meta.source.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessEntryMetaSourceUserHash = nameof(ProcessEntryMetaSourceUserHash); + /// + /// process.entry_meta.source.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessEntryMetaSourceUserId = nameof(ProcessEntryMetaSourceUserId); + /// + /// process.entry_meta.source.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessEntryMetaSourceUserName = nameof(ProcessEntryMetaSourceUserName); + /// + /// process.entry_meta.source.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessEntryMetaSourceUserGroupDomain = nameof(ProcessEntryMetaSourceUserGroupDomain); + /// + /// process.entry_meta.source.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessEntryMetaSourceUserGroupId = nameof(ProcessEntryMetaSourceUserGroupId); + /// + /// process.entry_meta.source.user.group.name + /// Name of the group. + /// + /// + public static string ProcessEntryMetaSourceUserGroupName = nameof(ProcessEntryMetaSourceUserGroupName); + /// + /// process.entry_meta.source.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ProcessEntryMetaSourceUserRiskCalculatedLevel = nameof(ProcessEntryMetaSourceUserRiskCalculatedLevel); + /// + /// process.entry_meta.source.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ProcessEntryMetaSourceUserRiskCalculatedScore = nameof(ProcessEntryMetaSourceUserRiskCalculatedScore); + /// + /// process.entry_meta.source.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ProcessEntryMetaSourceUserRiskCalculatedScoreNorm = nameof(ProcessEntryMetaSourceUserRiskCalculatedScoreNorm); + /// + /// process.entry_meta.source.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ProcessEntryMetaSourceUserRiskStaticLevel = nameof(ProcessEntryMetaSourceUserRiskStaticLevel); + /// + /// process.entry_meta.source.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ProcessEntryMetaSourceUserRiskStaticScore = nameof(ProcessEntryMetaSourceUserRiskStaticScore); + /// + /// process.entry_meta.source.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ProcessEntryMetaSourceUserRiskStaticScoreNorm = nameof(ProcessEntryMetaSourceUserRiskStaticScoreNorm); + /// + /// process.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessUserDomain = nameof(ProcessUserDomain); + /// + /// process.user.email + /// User email address. + /// + /// + public static string ProcessUserEmail = nameof(ProcessUserEmail); + /// + /// process.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessUserFullName = nameof(ProcessUserFullName); + /// + /// process.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessUserHash = nameof(ProcessUserHash); + /// + /// process.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessUserId = nameof(ProcessUserId); + /// + /// process.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessUserName = nameof(ProcessUserName); + /// + /// process.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessUserGroupDomain = nameof(ProcessUserGroupDomain); + /// + /// process.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessUserGroupId = nameof(ProcessUserGroupId); + /// + /// process.user.group.name + /// Name of the group. + /// + /// + public static string ProcessUserGroupName = nameof(ProcessUserGroupName); + /// + /// process.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ProcessUserRiskCalculatedLevel = nameof(ProcessUserRiskCalculatedLevel); + /// + /// process.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ProcessUserRiskCalculatedScore = nameof(ProcessUserRiskCalculatedScore); + /// + /// process.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ProcessUserRiskCalculatedScoreNorm = nameof(ProcessUserRiskCalculatedScoreNorm); + /// + /// process.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ProcessUserRiskStaticLevel = nameof(ProcessUserRiskStaticLevel); + /// + /// process.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ProcessUserRiskStaticScore = nameof(ProcessUserRiskStaticScore); + /// + /// process.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ProcessUserRiskStaticScoreNorm = nameof(ProcessUserRiskStaticScoreNorm); + /// + /// process.saved_user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessSavedUserDomain = nameof(ProcessSavedUserDomain); + /// + /// process.saved_user.email + /// User email address. + /// + /// + public static string ProcessSavedUserEmail = nameof(ProcessSavedUserEmail); + /// + /// process.saved_user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessSavedUserFullName = nameof(ProcessSavedUserFullName); + /// + /// process.saved_user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessSavedUserHash = nameof(ProcessSavedUserHash); + /// + /// process.saved_user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessSavedUserId = nameof(ProcessSavedUserId); + /// + /// process.saved_user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessSavedUserName = nameof(ProcessSavedUserName); + /// + /// process.saved_user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessSavedUserGroupDomain = nameof(ProcessSavedUserGroupDomain); + /// + /// process.saved_user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessSavedUserGroupId = nameof(ProcessSavedUserGroupId); + /// + /// process.saved_user.group.name + /// Name of the group. + /// + /// + public static string ProcessSavedUserGroupName = nameof(ProcessSavedUserGroupName); + /// + /// process.saved_user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ProcessSavedUserRiskCalculatedLevel = nameof(ProcessSavedUserRiskCalculatedLevel); + /// + /// process.saved_user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ProcessSavedUserRiskCalculatedScore = nameof(ProcessSavedUserRiskCalculatedScore); + /// + /// process.saved_user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ProcessSavedUserRiskCalculatedScoreNorm = nameof(ProcessSavedUserRiskCalculatedScoreNorm); + /// + /// process.saved_user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ProcessSavedUserRiskStaticLevel = nameof(ProcessSavedUserRiskStaticLevel); + /// + /// process.saved_user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ProcessSavedUserRiskStaticScore = nameof(ProcessSavedUserRiskStaticScore); + /// + /// process.saved_user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ProcessSavedUserRiskStaticScoreNorm = nameof(ProcessSavedUserRiskStaticScoreNorm); + /// + /// process.real_user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessRealUserDomain = nameof(ProcessRealUserDomain); + /// + /// process.real_user.email + /// User email address. + /// + /// + public static string ProcessRealUserEmail = nameof(ProcessRealUserEmail); + /// + /// process.real_user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessRealUserFullName = nameof(ProcessRealUserFullName); + /// + /// process.real_user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessRealUserHash = nameof(ProcessRealUserHash); + /// + /// process.real_user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessRealUserId = nameof(ProcessRealUserId); + /// + /// process.real_user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessRealUserName = nameof(ProcessRealUserName); + /// + /// process.real_user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessRealUserGroupDomain = nameof(ProcessRealUserGroupDomain); + /// + /// process.real_user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessRealUserGroupId = nameof(ProcessRealUserGroupId); + /// + /// process.real_user.group.name + /// Name of the group. + /// + /// + public static string ProcessRealUserGroupName = nameof(ProcessRealUserGroupName); + /// + /// process.real_user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ProcessRealUserRiskCalculatedLevel = nameof(ProcessRealUserRiskCalculatedLevel); + /// + /// process.real_user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ProcessRealUserRiskCalculatedScore = nameof(ProcessRealUserRiskCalculatedScore); + /// + /// process.real_user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ProcessRealUserRiskCalculatedScoreNorm = nameof(ProcessRealUserRiskCalculatedScoreNorm); + /// + /// process.real_user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ProcessRealUserRiskStaticLevel = nameof(ProcessRealUserRiskStaticLevel); + /// + /// process.real_user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ProcessRealUserRiskStaticScore = nameof(ProcessRealUserRiskStaticScore); + /// + /// process.real_user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ProcessRealUserRiskStaticScoreNorm = nameof(ProcessRealUserRiskStaticScoreNorm); + /// + /// process.attested_user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessAttestedUserDomain = nameof(ProcessAttestedUserDomain); + /// + /// process.attested_user.email + /// User email address. + /// + /// + public static string ProcessAttestedUserEmail = nameof(ProcessAttestedUserEmail); + /// + /// process.attested_user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ProcessAttestedUserFullName = nameof(ProcessAttestedUserFullName); + /// + /// process.attested_user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ProcessAttestedUserHash = nameof(ProcessAttestedUserHash); + /// + /// process.attested_user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ProcessAttestedUserId = nameof(ProcessAttestedUserId); + /// + /// process.attested_user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ProcessAttestedUserName = nameof(ProcessAttestedUserName); + /// + /// process.attested_user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ProcessAttestedUserGroupDomain = nameof(ProcessAttestedUserGroupDomain); + /// + /// process.attested_user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ProcessAttestedUserGroupId = nameof(ProcessAttestedUserGroupId); + /// + /// process.attested_user.group.name + /// Name of the group. + /// + /// + public static string ProcessAttestedUserGroupName = nameof(ProcessAttestedUserGroupName); + /// + /// process.attested_user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ProcessAttestedUserRiskCalculatedLevel = nameof(ProcessAttestedUserRiskCalculatedLevel); + /// + /// process.attested_user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ProcessAttestedUserRiskCalculatedScore = nameof(ProcessAttestedUserRiskCalculatedScore); + /// + /// process.attested_user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ProcessAttestedUserRiskCalculatedScoreNorm = nameof(ProcessAttestedUserRiskCalculatedScoreNorm); + /// + /// process.attested_user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ProcessAttestedUserRiskStaticLevel = nameof(ProcessAttestedUserRiskStaticLevel); + /// + /// process.attested_user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ProcessAttestedUserRiskStaticScore = nameof(ProcessAttestedUserRiskStaticScore); + /// + /// process.attested_user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ProcessAttestedUserRiskStaticScoreNorm = nameof(ProcessAttestedUserRiskStaticScoreNorm); + /// + /// registry.data.bytes + /// Original bytes written with base64 encoding. + /// For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + /// ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + /// + public static string RegistryDataBytes = nameof(RegistryDataBytes); + /// + /// registry.data.type + /// Standard registry type for encoding contents + /// REG_SZ + /// + public static string RegistryDataType = nameof(RegistryDataType); + /// + /// registry.hive + /// Abbreviated name for the hive. + /// HKLM + /// + public static string RegistryHive = nameof(RegistryHive); + /// + /// registry.key + /// Hive-relative path of keys. + /// SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + /// + public static string RegistryKey = nameof(RegistryKey); + /// + /// registry.path + /// Full path, including hive, key and value + /// HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + /// + public static string RegistryPath = nameof(RegistryPath); + /// + /// registry.value + /// Name of the value written. + /// Debugger + /// + public static string RegistryValue = nameof(RegistryValue); + /// + /// risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string RiskCalculatedLevel = nameof(RiskCalculatedLevel); + /// + /// risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string RiskCalculatedScore = nameof(RiskCalculatedScore); + /// + /// risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string RiskCalculatedScoreNorm = nameof(RiskCalculatedScoreNorm); + /// + /// risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string RiskStaticLevel = nameof(RiskStaticLevel); + /// + /// risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string RiskStaticScore = nameof(RiskStaticScore); + /// + /// risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string RiskStaticScoreNorm = nameof(RiskStaticScoreNorm); + /// + /// rule.category + /// A categorization value keyword used by the entity using the rule for detection of this event. + /// Attempted Information Leak + /// + public static string RuleCategory = nameof(RuleCategory); + /// + /// rule.description + /// The description of the rule generating the event. + /// Block requests to public DNS over HTTPS / TLS protocols + /// + public static string RuleDescription = nameof(RuleDescription); + /// + /// rule.id + /// A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + /// 101 + /// + public static string RuleId = nameof(RuleId); + /// + /// rule.license + /// Name of the license under which the rule used to generate this event is made available. + /// Apache 2.0 + /// + public static string RuleLicense = nameof(RuleLicense); + /// + /// rule.name + /// The name of the rule or signature generating the event. + /// BLOCK_DNS_over_TLS + /// + public static string RuleName = nameof(RuleName); + /// + /// rule.reference + /// Reference URL to additional information about the rule used to generate this event. + /// The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + /// https://en.wikipedia.org/wiki/DNS_over_TLS + /// + public static string RuleReference = nameof(RuleReference); + /// + /// rule.ruleset + /// Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + /// Standard_Protocol_Filters + /// + public static string RuleRuleset = nameof(RuleRuleset); + /// + /// rule.uuid + /// A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + /// 1100110011 + /// + public static string RuleUuid = nameof(RuleUuid); + /// + /// rule.version + /// The version / revision of the rule being used for analysis. + /// 1.1 + /// + public static string RuleVersion = nameof(RuleVersion); + /// + /// server.address + /// Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// + /// + public static string ServerAddress = nameof(ServerAddress); + /// + /// server.bytes + /// Bytes sent from the server to the client. + /// 184 + /// + public static string ServerBytes = nameof(ServerBytes); + /// + /// server.domain + /// The domain name of the server system. + /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + /// foo.example.com + /// + public static string ServerDomain = nameof(ServerDomain); + /// + /// server.ip + /// IP address of the server (IPv4 or IPv6). + /// + /// + public static string ServerIp = nameof(ServerIp); + /// + /// server.mac + /// MAC address of the server. + /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + /// pattern: + /// 00-00-5E-00-53-23 + /// + public static string ServerMac = nameof(ServerMac); + /// + /// server.nat.ip + /// Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + /// Typically used with load balancers, firewalls, or routers. + /// + /// + public static string ServerNatIp = nameof(ServerNatIp); + /// + /// server.nat.port + /// Translated port of destination based NAT sessions (e.g. internet to private DMZ) + /// Typically used with load balancers, firewalls, or routers. + /// + /// + public static string ServerNatPort = nameof(ServerNatPort); + /// + /// server.packets + /// Packets sent from the server to the client. + /// 12 + /// + public static string ServerPackets = nameof(ServerPackets); + /// + /// server.port + /// Port of the server. + /// + /// + public static string ServerPort = nameof(ServerPort); + /// + /// server.registered_domain + /// The highest registered server domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com + /// + public static string ServerRegisteredDomain = nameof(ServerRegisteredDomain); + /// + /// server.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east + /// + public static string ServerSubdomain = nameof(ServerSubdomain); + /// + /// server.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk + /// + public static string ServerTopLevelDomain = nameof(ServerTopLevelDomain); + /// + /// server.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string ServerAsNumber = nameof(ServerAsNumber); + /// + /// server.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string ServerAsOrganizationName = nameof(ServerAsOrganizationName); + /// + /// server.geo.city_name + /// City name. + /// Montreal + /// + public static string ServerGeoCityName = nameof(ServerGeoCityName); + /// + /// server.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string ServerGeoContinentCode = nameof(ServerGeoContinentCode); + /// + /// server.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string ServerGeoContinentName = nameof(ServerGeoContinentName); + /// + /// server.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string ServerGeoCountryIsoCode = nameof(ServerGeoCountryIsoCode); + /// + /// server.geo.country_name + /// Country name. + /// Canada + /// + public static string ServerGeoCountryName = nameof(ServerGeoCountryName); + /// + /// server.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string ServerGeoLocation = nameof(ServerGeoLocation); + /// + /// server.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string ServerGeoName = nameof(ServerGeoName); + /// + /// server.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string ServerGeoPostalCode = nameof(ServerGeoPostalCode); + /// + /// server.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string ServerGeoRegionIsoCode = nameof(ServerGeoRegionIsoCode); + /// + /// server.geo.region_name + /// Region name. + /// Quebec + /// + public static string ServerGeoRegionName = nameof(ServerGeoRegionName); + /// + /// server.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string ServerGeoTimezone = nameof(ServerGeoTimezone); + /// + /// server.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ServerUserDomain = nameof(ServerUserDomain); + /// + /// server.user.email + /// User email address. + /// + /// + public static string ServerUserEmail = nameof(ServerUserEmail); + /// + /// server.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string ServerUserFullName = nameof(ServerUserFullName); + /// + /// server.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string ServerUserHash = nameof(ServerUserHash); + /// + /// server.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string ServerUserId = nameof(ServerUserId); + /// + /// server.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string ServerUserName = nameof(ServerUserName); + /// + /// server.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string ServerUserGroupDomain = nameof(ServerUserGroupDomain); + /// + /// server.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string ServerUserGroupId = nameof(ServerUserGroupId); + /// + /// server.user.group.name + /// Name of the group. + /// + /// + public static string ServerUserGroupName = nameof(ServerUserGroupName); + /// + /// server.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string ServerUserRiskCalculatedLevel = nameof(ServerUserRiskCalculatedLevel); + /// + /// server.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string ServerUserRiskCalculatedScore = nameof(ServerUserRiskCalculatedScore); + /// + /// server.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string ServerUserRiskCalculatedScoreNorm = nameof(ServerUserRiskCalculatedScoreNorm); + /// + /// server.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string ServerUserRiskStaticLevel = nameof(ServerUserRiskStaticLevel); + /// + /// server.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string ServerUserRiskStaticScore = nameof(ServerUserRiskStaticScore); + /// + /// server.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string ServerUserRiskStaticScoreNorm = nameof(ServerUserRiskStaticScoreNorm); + /// + /// service.address + /// Address where data about this service was collected from. + /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + /// 172.26.0.2:5432 + /// + public static string ServiceAddress = nameof(ServiceAddress); + /// + /// service.environment + /// Identifies the environment where the service is running. + /// If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + ///
This field is beta and subject to change.
+ /// production + ///
+ public static string ServiceEnvironment = nameof(ServiceEnvironment); + /// + /// service.ephemeral_id + /// Ephemeral identifier of this service (if one exists). + /// This id normally changes across restarts, but `service.id` does not. + /// 8a4f500f + /// + public static string ServiceEphemeralId = nameof(ServiceEphemeralId); + /// + /// service.id + /// Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + /// This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + /// Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + /// d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + /// + public static string ServiceId = nameof(ServiceId); + /// + /// service.name + /// Name of the service data is collected from. + /// The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + /// In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + /// elasticsearch-metrics + /// + public static string ServiceName = nameof(ServiceName); + /// + /// service.node.name + /// Name of a service node. + /// This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + /// In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + /// instance-0000000016 + /// + public static string ServiceNodeName = nameof(ServiceNodeName); + /// + /// service.node.role + /// Deprecated for removal in next major version release. This field will be superseded by `node.roles`. + /// Role of a service node. + /// This allows for distinction between different running roles of the same service. + /// In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. + /// In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. + /// Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + /// background_tasks + /// + public static string ServiceNodeRole = nameof(ServiceNodeRole); + /// + /// service.state + /// Current state of the service. + /// + /// + public static string ServiceState = nameof(ServiceState); + /// + /// service.type + /// The type of the service data is collected from. + /// The type can be used to group and correlate logs and metrics from one service type. + /// Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + /// elasticsearch + /// + public static string ServiceType = nameof(ServiceType); + /// + /// service.version + /// Version of the service the data was collected from. + /// This allows to look at a data set only for a specific version of a service. + /// 3.2.4 + /// + public static string ServiceVersion = nameof(ServiceVersion); + /// + /// source.address + /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// + /// + public static string SourceAddress = nameof(SourceAddress); + /// + /// source.bytes + /// Bytes sent from the source to the destination. + /// 184 + /// + public static string SourceBytes = nameof(SourceBytes); + /// + /// source.domain + /// The domain name of the source system. + /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + /// foo.example.com + /// + public static string SourceDomain = nameof(SourceDomain); + /// + /// source.ip + /// IP address of the source (IPv4 or IPv6). + /// + /// + public static string SourceIp = nameof(SourceIp); + /// + /// source.mac + /// MAC address of the source. + /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + /// pattern: + /// 00-00-5E-00-53-23 + /// + public static string SourceMac = nameof(SourceMac); + /// + /// source.nat.ip + /// Translated ip of source based NAT sessions (e.g. internal client to internet) + /// Typically connections traversing load balancers, firewalls, or routers. + /// + /// + public static string SourceNatIp = nameof(SourceNatIp); + /// + /// source.nat.port + /// Translated port of source based NAT sessions. (e.g. internal client to internet) + /// Typically used with load balancers, firewalls, or routers. + /// + /// + public static string SourceNatPort = nameof(SourceNatPort); + /// + /// source.packets + /// Packets sent from the source to the destination. + /// 12 + /// + public static string SourcePackets = nameof(SourcePackets); + /// + /// source.port + /// Port of the source. + /// + /// + public static string SourcePort = nameof(SourcePort); + /// + /// source.registered_domain + /// The highest registered source domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com + /// + public static string SourceRegisteredDomain = nameof(SourceRegisteredDomain); + /// + /// source.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east + /// + public static string SourceSubdomain = nameof(SourceSubdomain); + /// + /// source.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk + /// + public static string SourceTopLevelDomain = nameof(SourceTopLevelDomain); + /// + /// source.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string SourceAsNumber = nameof(SourceAsNumber); + /// + /// source.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string SourceAsOrganizationName = nameof(SourceAsOrganizationName); + /// + /// source.geo.city_name + /// City name. + /// Montreal + /// + public static string SourceGeoCityName = nameof(SourceGeoCityName); + /// + /// source.geo.continent_code + /// Two-letter code representing continent's name. + /// NA + /// + public static string SourceGeoContinentCode = nameof(SourceGeoContinentCode); + /// + /// source.geo.continent_name + /// Name of the continent. + /// North America + /// + public static string SourceGeoContinentName = nameof(SourceGeoContinentName); + /// + /// source.geo.country_iso_code + /// Country ISO code. + /// CA + /// + public static string SourceGeoCountryIsoCode = nameof(SourceGeoCountryIsoCode); + /// + /// source.geo.country_name + /// Country name. + /// Canada + /// + public static string SourceGeoCountryName = nameof(SourceGeoCountryName); + /// + /// source.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } + /// + public static string SourceGeoLocation = nameof(SourceGeoLocation); + /// + /// source.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc + /// + public static string SourceGeoName = nameof(SourceGeoName); + /// + /// source.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 + /// + public static string SourceGeoPostalCode = nameof(SourceGeoPostalCode); + /// + /// source.geo.region_iso_code + /// Region ISO code. + /// CA-QC + /// + public static string SourceGeoRegionIsoCode = nameof(SourceGeoRegionIsoCode); + /// + /// source.geo.region_name + /// Region name. + /// Quebec + /// + public static string SourceGeoRegionName = nameof(SourceGeoRegionName); + /// + /// source.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires + /// + public static string SourceGeoTimezone = nameof(SourceGeoTimezone); + /// + /// source.user.domain + /// Name of the directory the user is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string SourceUserDomain = nameof(SourceUserDomain); + /// + /// source.user.email + /// User email address. + /// + /// + public static string SourceUserEmail = nameof(SourceUserEmail); + /// + /// source.user.full_name + /// User's full name, if available. + /// Albert Einstein + /// + public static string SourceUserFullName = nameof(SourceUserFullName); + /// + /// source.user.hash + /// Unique user hash to correlate information for a user in anonymized form. + /// Useful if `user.id` or `user.name` contain confidential information and cannot be used. + /// + /// + public static string SourceUserHash = nameof(SourceUserHash); + /// + /// source.user.id + /// Unique identifier of the user. + /// S-1-5-21-202424912787-2692429404-2351956786-1000 + /// + public static string SourceUserId = nameof(SourceUserId); + /// + /// source.user.name + /// Short name or login of the user. + /// a.einstein + /// + public static string SourceUserName = nameof(SourceUserName); + /// + /// source.user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string SourceUserGroupDomain = nameof(SourceUserGroupDomain); + /// + /// source.user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string SourceUserGroupId = nameof(SourceUserGroupId); + /// + /// source.user.group.name + /// Name of the group. + /// + /// + public static string SourceUserGroupName = nameof(SourceUserGroupName); + /// + /// source.user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string SourceUserRiskCalculatedLevel = nameof(SourceUserRiskCalculatedLevel); + /// + /// source.user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string SourceUserRiskCalculatedScore = nameof(SourceUserRiskCalculatedScore); + /// + /// source.user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string SourceUserRiskCalculatedScoreNorm = nameof(SourceUserRiskCalculatedScoreNorm); + /// + /// source.user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string SourceUserRiskStaticLevel = nameof(SourceUserRiskStaticLevel); + /// + /// source.user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string SourceUserRiskStaticScore = nameof(SourceUserRiskStaticScore); + /// + /// source.user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string SourceUserRiskStaticScoreNorm = nameof(SourceUserRiskStaticScoreNorm); + /// + /// threat.feed.dashboard_id + /// The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. + /// 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f + /// + public static string ThreatFeedDashboardId = nameof(ThreatFeedDashboardId); + /// + /// threat.feed.description + /// Description of the threat feed in a UI friendly format. + /// Threat feed from the AlienVault Open Threat eXchange network. + /// + public static string ThreatFeedDescription = nameof(ThreatFeedDescription); + /// + /// threat.feed.name + /// The name of the threat feed in UI friendly format. + /// AlienVault OTX + /// + public static string ThreatFeedName = nameof(ThreatFeedName); + /// + /// threat.feed.reference + /// Reference information for the threat feed in a UI friendly format. + /// https://otx.alienvault.com + /// + public static string ThreatFeedReference = nameof(ThreatFeedReference); + /// + /// threat.framework + /// Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + /// MITRE ATT&CK + /// + public static string ThreatFramework = nameof(ThreatFramework); + /// + /// threat.group.id + /// The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. + /// While not required, you can use a MITRE ATT&CK® group id. + /// G0037 + /// + public static string ThreatGroupId = nameof(ThreatGroupId); + /// + /// threat.group.name + /// The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. + /// While not required, you can use a MITRE ATT&CK® group name. + /// FIN6 + /// + public static string ThreatGroupName = nameof(ThreatGroupName); + /// + /// threat.group.reference + /// The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. + /// While not required, you can use a MITRE ATT&CK® group reference URL. + /// https://attack.mitre.org/groups/G0037/ + /// + public static string ThreatGroupReference = nameof(ThreatGroupReference); + /// + /// threat.indicator.confidence + /// Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + ///
Expected Values:
+ /// + /// Not Specified + /// None + /// Low + /// Medium + /// High + ///
+ /// Medium + ///
+ public static string ThreatIndicatorConfidence = nameof(ThreatIndicatorConfidence); + /// + /// threat.indicator.description + /// Describes the type of action conducted by the threat. + /// IP x.x.x.x was observed delivering the Angler EK. + /// + public static string ThreatIndicatorDescription = nameof(ThreatIndicatorDescription); + /// + /// threat.indicator.email.address + /// Identifies a threat indicator as an email address (irrespective of direction). + /// phish@example.com + /// + public static string ThreatIndicatorEmailAddress = nameof(ThreatIndicatorEmailAddress); + /// + /// threat.indicator.first_seen + /// The date and time when intelligence source first reported sighting this indicator. + /// 11/5/2020 5:25:47 PM + /// + public static string ThreatIndicatorFirstSeen = nameof(ThreatIndicatorFirstSeen); + /// + /// threat.indicator.ip + /// Identifies a threat indicator as an IP address (irrespective of direction). + /// 1.2.3.4 + /// + public static string ThreatIndicatorIp = nameof(ThreatIndicatorIp); + /// + /// threat.indicator.last_seen + /// The date and time when intelligence source last reported sighting this indicator. + /// 11/5/2020 5:25:47 PM + /// + public static string ThreatIndicatorLastSeen = nameof(ThreatIndicatorLastSeen); + /// + /// threat.indicator.marking.tlp + /// Traffic Light Protocol sharing markings. + ///
Expected Values:
+ /// + /// WHITE + /// CLEAR + /// GREEN + /// AMBER + /// AMBER+STRICT + /// RED + ///
+ /// CLEAR + ///
+ public static string ThreatIndicatorMarkingTlp = nameof(ThreatIndicatorMarkingTlp); + /// + /// threat.indicator.marking.tlp_version + /// Traffic Light Protocol version. + /// 2.0 + /// + public static string ThreatIndicatorMarkingTlpVersion = nameof(ThreatIndicatorMarkingTlpVersion); + /// + /// threat.indicator.modified_at + /// The date and time when intelligence source last modified information for this indicator. + /// 11/5/2020 5:25:47 PM + /// + public static string ThreatIndicatorModifiedAt = nameof(ThreatIndicatorModifiedAt); + /// + /// threat.indicator.name + /// The display name indicator in an UI friendly format + /// URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. + /// 5.2.75.227 + /// + public static string ThreatIndicatorName = nameof(ThreatIndicatorName); + /// + /// threat.indicator.port + /// Identifies a threat indicator as a port number (irrespective of direction). + /// 443 + /// + public static string ThreatIndicatorPort = nameof(ThreatIndicatorPort); + /// + /// threat.indicator.provider + /// The name of the indicator's provider. + /// lrz_urlhaus + /// + public static string ThreatIndicatorProvider = nameof(ThreatIndicatorProvider); + /// + /// threat.indicator.reference + /// Reference URL linking to additional information about this indicator. + /// https://system.example.com/indicator/0001234 + /// + public static string ThreatIndicatorReference = nameof(ThreatIndicatorReference); + /// + /// threat.indicator.scanner_stats + /// Count of AV/EDR vendors that successfully detected malicious file or URL. + /// 4 + /// + public static string ThreatIndicatorScannerStats = nameof(ThreatIndicatorScannerStats); + /// + /// threat.indicator.sightings + /// Number of times this indicator was observed conducting threat activity. + /// 20 + /// + public static string ThreatIndicatorSightings = nameof(ThreatIndicatorSightings); /// - /// process.pgid - /// Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - /// Identifier of the group of processes the process belongs to. + /// threat.indicator.type + /// Type of indicator as represented by Cyber Observable in STIX 2.0. + ///
Expected Values:
+ /// + /// autonomous-system + /// artifact + /// directory + /// domain-name + /// email-addr + /// file + /// ipv4-addr + /// ipv6-addr + /// mac-addr + /// mutex + /// port + /// process + /// software + /// url + /// user-account + /// windows-registry-key + /// x509-certificate + ///
+ /// ipv4-addr + ///
+ public static string ThreatIndicatorType = nameof(ThreatIndicatorType); + /// + /// threat.software.id + /// The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software id. + /// S0552 + /// + public static string ThreatSoftwareId = nameof(ThreatSoftwareId); + /// + /// threat.software.name + /// The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software name. + /// AdFind + /// + public static string ThreatSoftwareName = nameof(ThreatSoftwareName); + /// + /// threat.software.reference + /// The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software reference URL. + /// https://attack.mitre.org/software/S0552/ + /// + public static string ThreatSoftwareReference = nameof(ThreatSoftwareReference); + /// + /// threat.software.type + /// The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + /// While not required, you can use a MITRE ATT&CK® software type. + ///
Expected Values:
+ /// + /// Malware + /// Tool + ///
+ /// Tool + ///
+ public static string ThreatSoftwareType = nameof(ThreatSoftwareType); + /// + /// threat.indicator.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + /// + public static string ThreatIndicatorX509IssuerDistinguishedName = nameof(ThreatIndicatorX509IssuerDistinguishedName); + /// + /// threat.indicator.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM + /// + public static string ThreatIndicatorX509NotAfter = nameof(ThreatIndicatorX509NotAfter); + /// + /// threat.indicator.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM + /// + public static string ThreatIndicatorX509NotBefore = nameof(ThreatIndicatorX509NotBefore); + /// + /// threat.indicator.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA + /// + public static string ThreatIndicatorX509PublicKeyAlgorithm = nameof(ThreatIndicatorX509PublicKeyAlgorithm); + /// + /// threat.indicator.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 + /// + public static string ThreatIndicatorX509PublicKeyCurve = nameof(ThreatIndicatorX509PublicKeyCurve); + /// + /// threat.indicator.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default
+ /// 65537 + ///
+ public static string ThreatIndicatorX509PublicKeyExponent = nameof(ThreatIndicatorX509PublicKeyExponent); + /// + /// threat.indicator.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 + /// + public static string ThreatIndicatorX509PublicKeySize = nameof(ThreatIndicatorX509PublicKeySize); + /// + /// threat.indicator.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA + /// + public static string ThreatIndicatorX509SerialNumber = nameof(ThreatIndicatorX509SerialNumber); + /// + /// threat.indicator.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA + /// + public static string ThreatIndicatorX509SignatureAlgorithm = nameof(ThreatIndicatorX509SignatureAlgorithm); + /// + /// threat.indicator.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + /// + public static string ThreatIndicatorX509SubjectDistinguishedName = nameof(ThreatIndicatorX509SubjectDistinguishedName); + /// + /// threat.indicator.x509.version_number + /// Version of x509 format. + /// 3 + /// + public static string ThreatIndicatorX509VersionNumber = nameof(ThreatIndicatorX509VersionNumber); + /// + /// threat.indicator.as.number + /// Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + /// 15169 + /// + public static string ThreatIndicatorAsNumber = nameof(ThreatIndicatorAsNumber); + /// + /// threat.indicator.as.organization.name + /// Organization name. + /// Google LLC + /// + public static string ThreatIndicatorAsOrganizationName = nameof(ThreatIndicatorAsOrganizationName); + /// + /// threat.indicator.file.accessed + /// Last time the file was accessed. + /// Note that not all filesystems keep track of access time. /// /// - public static string ProcessPgid = nameof(ProcessPgid); + public static string ThreatIndicatorFileAccessed = nameof(ThreatIndicatorFileAccessed); /// - /// process.pid - /// Process id. - /// 4242 + /// threat.indicator.file.created + /// File creation time. + /// Note that not all filesystems store the creation time. + /// + /// + public static string ThreatIndicatorFileCreated = nameof(ThreatIndicatorFileCreated); + /// + /// threat.indicator.file.ctime + /// Last time the file attributes or metadata changed. + /// Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + /// + /// + public static string ThreatIndicatorFileCtime = nameof(ThreatIndicatorFileCtime); + /// + /// threat.indicator.file.device + /// Device that is the source of the file. + /// sda + /// + public static string ThreatIndicatorFileDevice = nameof(ThreatIndicatorFileDevice); + /// + /// threat.indicator.file.directory + /// Directory where the file is located. It should include the drive letter, when appropriate. + /// /home/alice + /// + public static string ThreatIndicatorFileDirectory = nameof(ThreatIndicatorFileDirectory); + /// + /// threat.indicator.file.drive_letter + /// Drive letter where the file is located. This field is only relevant on Windows. + /// The value should be uppercase, and not include the colon. + /// C + /// + public static string ThreatIndicatorFileDriveLetter = nameof(ThreatIndicatorFileDriveLetter); + /// + /// threat.indicator.file.extension + /// File extension, excluding the leading dot. + /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + /// png + /// + public static string ThreatIndicatorFileExtension = nameof(ThreatIndicatorFileExtension); + /// + /// threat.indicator.file.fork_name + /// A fork is additional data associated with a filesystem object. + /// On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. + /// On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + /// Zone.Identifer + /// + public static string ThreatIndicatorFileForkName = nameof(ThreatIndicatorFileForkName); + /// + /// threat.indicator.file.gid + /// Primary group ID (GID) of the file. + /// 1001 + /// + public static string ThreatIndicatorFileGid = nameof(ThreatIndicatorFileGid); + /// + /// threat.indicator.file.group + /// Primary group name of the file. + /// alice + /// + public static string ThreatIndicatorFileGroup = nameof(ThreatIndicatorFileGroup); + /// + /// threat.indicator.file.inode + /// Inode representing the file in the filesystem. + /// 256383 + /// + public static string ThreatIndicatorFileInode = nameof(ThreatIndicatorFileInode); + /// + /// threat.indicator.file.mime_type + /// MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + /// + /// + public static string ThreatIndicatorFileMimeType = nameof(ThreatIndicatorFileMimeType); + /// + /// threat.indicator.file.mode + /// Mode of the file in octal representation. + /// 0640 + /// + public static string ThreatIndicatorFileMode = nameof(ThreatIndicatorFileMode); + /// + /// threat.indicator.file.mtime + /// Last time the file content was modified. + /// + /// + public static string ThreatIndicatorFileMtime = nameof(ThreatIndicatorFileMtime); + /// + /// threat.indicator.file.name + /// Name of the file including the extension, without the directory. + /// example.png + /// + public static string ThreatIndicatorFileName = nameof(ThreatIndicatorFileName); + /// + /// threat.indicator.file.owner + /// File owner's username. + /// alice + /// + public static string ThreatIndicatorFileOwner = nameof(ThreatIndicatorFileOwner); + /// + /// threat.indicator.file.path + /// Full path to the file, including the file name. It should include the drive letter, when appropriate. + /// /home/alice/example.png + /// + public static string ThreatIndicatorFilePath = nameof(ThreatIndicatorFilePath); + /// + /// threat.indicator.file.size + /// File size in bytes. + /// Only relevant when `file.type` is "file". + /// 16384 + /// + public static string ThreatIndicatorFileSize = nameof(ThreatIndicatorFileSize); + /// + /// threat.indicator.file.target_path + /// Target path for symlinks. + /// + /// + public static string ThreatIndicatorFileTargetPath = nameof(ThreatIndicatorFileTargetPath); + /// + /// threat.indicator.file.type + /// File type (file, dir, or symlink). + /// file + /// + public static string ThreatIndicatorFileType = nameof(ThreatIndicatorFileType); + /// + /// threat.indicator.file.uid + /// The user ID (UID) or security identifier (SID) of the file owner. + /// 1001 + /// + public static string ThreatIndicatorFileUid = nameof(ThreatIndicatorFileUid); + /// + /// threat.indicator.file.hash.md5 + /// MD5 hash. + /// + /// + public static string ThreatIndicatorFileHashMd5 = nameof(ThreatIndicatorFileHashMd5); + /// + /// threat.indicator.file.hash.sha1 + /// SHA1 hash. + /// + /// + public static string ThreatIndicatorFileHashSha1 = nameof(ThreatIndicatorFileHashSha1); + /// + /// threat.indicator.file.hash.sha256 + /// SHA256 hash. + /// + /// + public static string ThreatIndicatorFileHashSha256 = nameof(ThreatIndicatorFileHashSha256); + /// + /// threat.indicator.file.hash.sha384 + /// SHA384 hash. + /// + /// + public static string ThreatIndicatorFileHashSha384 = nameof(ThreatIndicatorFileHashSha384); + /// + /// threat.indicator.file.hash.sha512 + /// SHA512 hash. + /// + /// + public static string ThreatIndicatorFileHashSha512 = nameof(ThreatIndicatorFileHashSha512); + /// + /// threat.indicator.file.hash.ssdeep + /// SSDEEP hash. + /// + /// + public static string ThreatIndicatorFileHashSsdeep = nameof(ThreatIndicatorFileHashSsdeep); + /// + /// threat.indicator.file.hash.tlsh + /// TLSH hash. + /// + /// + public static string ThreatIndicatorFileHashTlsh = nameof(ThreatIndicatorFileHashTlsh); + /// + /// threat.indicator.file.pe.architecture + /// CPU architecture target for the file. + /// x64 + /// + public static string ThreatIndicatorFilePeArchitecture = nameof(ThreatIndicatorFilePeArchitecture); + /// + /// threat.indicator.file.pe.company + /// Internal company name of the file, provided at compile-time. + /// Microsoft Corporation + /// + public static string ThreatIndicatorFilePeCompany = nameof(ThreatIndicatorFilePeCompany); + /// + /// threat.indicator.file.pe.description + /// Internal description of the file, provided at compile-time. + /// Paint + /// + public static string ThreatIndicatorFilePeDescription = nameof(ThreatIndicatorFilePeDescription); + /// + /// threat.indicator.file.pe.file_version + /// Internal version of the file, provided at compile-time. + /// 6.3.9600.17415 + /// + public static string ThreatIndicatorFilePeFileVersion = nameof(ThreatIndicatorFilePeFileVersion); + /// + /// threat.indicator.file.pe.go_import_hash + /// A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string ProcessPid = nameof(ProcessPid); + public static string ThreatIndicatorFilePeGoImportHash = nameof(ThreatIndicatorFilePeGoImportHash); /// - /// process.start - /// The time the process started. - /// 5/23/2016 8:05:34AM + /// threat.indicator.file.pe.go_imports + /// List of imported Go language element names and types. + /// /// - public static string ProcessStart = nameof(ProcessStart); + public static string ThreatIndicatorFilePeGoImports = nameof(ThreatIndicatorFilePeGoImports); /// - /// process.thread.id - /// Thread ID. - /// 4242 + /// threat.indicator.file.pe.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string ProcessThreadId = nameof(ProcessThreadId); + public static string ThreatIndicatorFilePeGoImportsNamesEntropy = nameof(ThreatIndicatorFilePeGoImportsNamesEntropy); /// - /// process.thread.name - /// Thread name. - /// thread-0 + /// threat.indicator.file.pe.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// /// - public static string ProcessThreadName = nameof(ProcessThreadName); + public static string ThreatIndicatorFilePeGoImportsNamesVarEntropy = nameof(ThreatIndicatorFilePeGoImportsNamesVarEntropy); /// - /// process.title - /// Process title. - /// The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + /// threat.indicator.file.pe.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string ProcessTitle = nameof(ProcessTitle); + public static string ThreatIndicatorFilePeGoStripped = nameof(ThreatIndicatorFilePeGoStripped); /// - /// process.uptime - /// Seconds the process has been up. - /// 1325 + /// threat.indicator.file.pe.imphash + /// A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + /// 0c6803c4e922103c4dca5963aad36ddf /// - public static string ProcessUptime = nameof(ProcessUptime); + public static string ThreatIndicatorFilePeImphash = nameof(ThreatIndicatorFilePeImphash); /// - /// process.vpid - /// Virtual process id. - /// The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. - /// 4242 + /// threat.indicator.file.pe.import_hash + /// A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for imphash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string ProcessVpid = nameof(ProcessVpid); + public static string ThreatIndicatorFilePeImportHash = nameof(ThreatIndicatorFilePeImportHash); /// - /// process.working_directory - /// The working directory of the process. - /// /home/alice + /// threat.indicator.file.pe.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string ProcessWorkingDirectory = nameof(ProcessWorkingDirectory); + public static string ThreatIndicatorFilePeImportsNamesEntropy = nameof(ThreatIndicatorFilePeImportsNamesEntropy); /// - /// registry.data.bytes - /// Original bytes written with base64 encoding. - /// For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - /// ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + /// threat.indicator.file.pe.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string RegistryDataBytes = nameof(RegistryDataBytes); + public static string ThreatIndicatorFilePeImportsNamesVarEntropy = nameof(ThreatIndicatorFilePeImportsNamesVarEntropy); /// - /// registry.data.type - /// Standard registry type for encoding contents - /// REG_SZ + /// threat.indicator.file.pe.original_file_name + /// Internal name of the file, provided at compile-time. + /// MSPAINT.EXE /// - public static string RegistryDataType = nameof(RegistryDataType); + public static string ThreatIndicatorFilePeOriginalFileName = nameof(ThreatIndicatorFilePeOriginalFileName); /// - /// registry.hive - /// Abbreviated name for the hive. - /// HKLM + /// threat.indicator.file.pe.pehash + /// A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + /// Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + /// 73ff189b63cd6be375a7ff25179a38d347651975 /// - public static string RegistryHive = nameof(RegistryHive); + public static string ThreatIndicatorFilePePehash = nameof(ThreatIndicatorFilePePehash); /// - /// registry.key - /// Hive-relative path of keys. - /// SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + /// threat.indicator.file.pe.product + /// Internal product name of the file, provided at compile-time. + /// Microsoft® Windows® Operating System /// - public static string RegistryKey = nameof(RegistryKey); + public static string ThreatIndicatorFilePeProduct = nameof(ThreatIndicatorFilePeProduct); /// - /// registry.path - /// Full path, including hive, key and value - /// HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + /// threat.indicator.file.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA /// - public static string RegistryPath = nameof(RegistryPath); + public static string ThreatIndicatorFileX509IssuerDistinguishedName = nameof(ThreatIndicatorFileX509IssuerDistinguishedName); /// - /// registry.value - /// Name of the value written. - /// Debugger + /// threat.indicator.file.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM /// - public static string RegistryValue = nameof(RegistryValue); + public static string ThreatIndicatorFileX509NotAfter = nameof(ThreatIndicatorFileX509NotAfter); /// - /// risk.calculated_level - /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. - /// High + /// threat.indicator.file.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM /// - public static string RiskCalculatedLevel = nameof(RiskCalculatedLevel); + public static string ThreatIndicatorFileX509NotBefore = nameof(ThreatIndicatorFileX509NotBefore); /// - /// risk.calculated_score - /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. - /// 880.73 + /// threat.indicator.file.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA /// - public static string RiskCalculatedScore = nameof(RiskCalculatedScore); + public static string ThreatIndicatorFileX509PublicKeyAlgorithm = nameof(ThreatIndicatorFileX509PublicKeyAlgorithm); /// - /// risk.calculated_score_norm - /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. - /// 88.73 + /// threat.indicator.file.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 /// - public static string RiskCalculatedScoreNorm = nameof(RiskCalculatedScoreNorm); + public static string ThreatIndicatorFileX509PublicKeyCurve = nameof(ThreatIndicatorFileX509PublicKeyCurve); /// - /// risk.static_level - /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. - /// High + /// threat.indicator.file.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default
+ /// 65537 ///
- public static string RiskStaticLevel = nameof(RiskStaticLevel); + public static string ThreatIndicatorFileX509PublicKeyExponent = nameof(ThreatIndicatorFileX509PublicKeyExponent); /// - /// risk.static_score - /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. - /// 830.0 + /// threat.indicator.file.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 /// - public static string RiskStaticScore = nameof(RiskStaticScore); + public static string ThreatIndicatorFileX509PublicKeySize = nameof(ThreatIndicatorFileX509PublicKeySize); /// - /// risk.static_score_norm - /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. - /// 83.0 + /// threat.indicator.file.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA /// - public static string RiskStaticScoreNorm = nameof(RiskStaticScoreNorm); + public static string ThreatIndicatorFileX509SerialNumber = nameof(ThreatIndicatorFileX509SerialNumber); /// - /// rule.category - /// A categorization value keyword used by the entity using the rule for detection of this event. - /// Attempted Information Leak + /// threat.indicator.file.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA /// - public static string RuleCategory = nameof(RuleCategory); + public static string ThreatIndicatorFileX509SignatureAlgorithm = nameof(ThreatIndicatorFileX509SignatureAlgorithm); /// - /// rule.description - /// The description of the rule generating the event. - /// Block requests to public DNS over HTTPS / TLS protocols + /// threat.indicator.file.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net /// - public static string RuleDescription = nameof(RuleDescription); + public static string ThreatIndicatorFileX509SubjectDistinguishedName = nameof(ThreatIndicatorFileX509SubjectDistinguishedName); /// - /// rule.id - /// A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - /// 101 + /// threat.indicator.file.x509.version_number + /// Version of x509 format. + /// 3 /// - public static string RuleId = nameof(RuleId); + public static string ThreatIndicatorFileX509VersionNumber = nameof(ThreatIndicatorFileX509VersionNumber); /// - /// rule.license - /// Name of the license under which the rule used to generate this event is made available. - /// Apache 2.0 + /// threat.indicator.file.code_signature.digest_algorithm + /// The hashing algorithm used to sign the process. + /// This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + /// sha256 /// - public static string RuleLicense = nameof(RuleLicense); + public static string ThreatIndicatorFileCodeSignatureDigestAlgorithm = nameof(ThreatIndicatorFileCodeSignatureDigestAlgorithm); /// - /// rule.name - /// The name of the rule or signature generating the event. - /// BLOCK_DNS_over_TLS + /// threat.indicator.file.code_signature.exists + /// Boolean to capture if a signature is present. + /// true /// - public static string RuleName = nameof(RuleName); + public static string ThreatIndicatorFileCodeSignatureExists = nameof(ThreatIndicatorFileCodeSignatureExists); /// - /// rule.reference - /// Reference URL to additional information about the rule used to generate this event. - /// The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - /// https://en.wikipedia.org/wiki/DNS_over_TLS + /// threat.indicator.file.code_signature.signing_id + /// The identifier used to sign the process. + /// This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + /// com.apple.xpc.proxy /// - public static string RuleReference = nameof(RuleReference); + public static string ThreatIndicatorFileCodeSignatureSigningId = nameof(ThreatIndicatorFileCodeSignatureSigningId); /// - /// rule.ruleset - /// Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - /// Standard_Protocol_Filters + /// threat.indicator.file.code_signature.status + /// Additional information about the certificate status. + /// This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + /// ERROR_UNTRUSTED_ROOT /// - public static string RuleRuleset = nameof(RuleRuleset); + public static string ThreatIndicatorFileCodeSignatureStatus = nameof(ThreatIndicatorFileCodeSignatureStatus); /// - /// rule.uuid - /// A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - /// 1100110011 + /// threat.indicator.file.code_signature.subject_name + /// Subject name of the code signer + /// Microsoft Corporation /// - public static string RuleUuid = nameof(RuleUuid); + public static string ThreatIndicatorFileCodeSignatureSubjectName = nameof(ThreatIndicatorFileCodeSignatureSubjectName); /// - /// rule.version - /// The version / revision of the rule being used for analysis. - /// 1.1 + /// threat.indicator.file.code_signature.team_id + /// The team identifier used to sign the process. + /// This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + /// EQHXZ8M8AV /// - public static string RuleVersion = nameof(RuleVersion); + public static string ThreatIndicatorFileCodeSignatureTeamId = nameof(ThreatIndicatorFileCodeSignatureTeamId); /// - /// server.address - /// Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - /// + /// threat.indicator.file.code_signature.timestamp + /// Date and time when the code signature was generated and signed. + /// 1/1/2021 12:10:30 PM /// - public static string ServerAddress = nameof(ServerAddress); + public static string ThreatIndicatorFileCodeSignatureTimestamp = nameof(ThreatIndicatorFileCodeSignatureTimestamp); /// - /// server.bytes - /// Bytes sent from the server to the client. - /// 184 + /// threat.indicator.file.code_signature.trusted + /// Stores the trust status of the certificate chain. + /// Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + /// true /// - public static string ServerBytes = nameof(ServerBytes); + public static string ThreatIndicatorFileCodeSignatureTrusted = nameof(ThreatIndicatorFileCodeSignatureTrusted); /// - /// server.domain - /// The domain name of the server system. - /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - /// foo.example.com + /// threat.indicator.file.code_signature.valid + /// Boolean to capture if the digital signature is verified against the binary content. + /// Leave unpopulated if a certificate was unchecked. + /// true /// - public static string ServerDomain = nameof(ServerDomain); + public static string ThreatIndicatorFileCodeSignatureValid = nameof(ThreatIndicatorFileCodeSignatureValid); /// - /// server.ip - /// IP address of the server (IPv4 or IPv6). - /// + /// threat.indicator.file.elf.architecture + /// Machine architecture of the ELF file. + /// x86-64 /// - public static string ServerIp = nameof(ServerIp); + public static string ThreatIndicatorFileElfArchitecture = nameof(ThreatIndicatorFileElfArchitecture); /// - /// server.mac - /// MAC address of the server. - /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - /// pattern: - /// 00-00-5E-00-53-23 + /// threat.indicator.file.elf.byte_order + /// Byte sequence of ELF file. + /// Little Endian /// - public static string ServerMac = nameof(ServerMac); + public static string ThreatIndicatorFileElfByteOrder = nameof(ThreatIndicatorFileElfByteOrder); /// - /// server.nat.ip - /// Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - /// Typically used with load balancers, firewalls, or routers. - /// + /// threat.indicator.file.elf.cpu_type + /// CPU type of the ELF file. + /// Intel /// - public static string ServerNatIp = nameof(ServerNatIp); + public static string ThreatIndicatorFileElfCpuType = nameof(ThreatIndicatorFileElfCpuType); /// - /// server.nat.port - /// Translated port of destination based NAT sessions (e.g. internet to private DMZ) - /// Typically used with load balancers, firewalls, or routers. + /// threat.indicator.file.elf.creation_date + /// Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. /// /// - public static string ServerNatPort = nameof(ServerNatPort); + public static string ThreatIndicatorFileElfCreationDate = nameof(ThreatIndicatorFileElfCreationDate); /// - /// server.packets - /// Packets sent from the server to the client. - /// 12 + /// threat.indicator.file.elf.go_import_hash + /// A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string ServerPackets = nameof(ServerPackets); + public static string ThreatIndicatorFileElfGoImportHash = nameof(ThreatIndicatorFileElfGoImportHash); /// - /// server.port - /// Port of the server. + /// threat.indicator.file.elf.go_imports + /// List of imported Go language element names and types. /// /// - public static string ServerPort = nameof(ServerPort); + public static string ThreatIndicatorFileElfGoImports = nameof(ThreatIndicatorFileElfGoImports); /// - /// server.registered_domain - /// The highest registered server domain, stripped of the subdomain. - /// For example, the registered domain for "foo.example.com" is "example.com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - /// example.com + /// threat.indicator.file.elf.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string ServerRegisteredDomain = nameof(ServerRegisteredDomain); + public static string ThreatIndicatorFileElfGoImportsNamesEntropy = nameof(ThreatIndicatorFileElfGoImportsNamesEntropy); /// - /// server.subdomain - /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - /// east + /// threat.indicator.file.elf.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. + /// /// - public static string ServerSubdomain = nameof(ServerSubdomain); + public static string ThreatIndicatorFileElfGoImportsNamesVarEntropy = nameof(ThreatIndicatorFileElfGoImportsNamesVarEntropy); /// - /// server.top_level_domain - /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - /// co.uk + /// threat.indicator.file.elf.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + /// /// - public static string ServerTopLevelDomain = nameof(ServerTopLevelDomain); + public static string ThreatIndicatorFileElfGoStripped = nameof(ThreatIndicatorFileElfGoStripped); /// - /// service.address - /// Address where data about this service was collected from. - /// This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - /// 172.26.0.2:5432 + /// threat.indicator.file.elf.header.abi_version + /// Version of the ELF Application Binary Interface (ABI). + /// /// - public static string ServiceAddress = nameof(ServiceAddress); + public static string ThreatIndicatorFileElfHeaderAbiVersion = nameof(ThreatIndicatorFileElfHeaderAbiVersion); /// - /// service.environment - /// Identifies the environment where the service is running. - /// If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. - ///
This field is beta and subject to change.
- /// production + /// threat.indicator.file.elf.header.class + /// Header class of the ELF file. + /// ///
- public static string ServiceEnvironment = nameof(ServiceEnvironment); + public static string ThreatIndicatorFileElfHeaderClass = nameof(ThreatIndicatorFileElfHeaderClass); /// - /// service.ephemeral_id - /// Ephemeral identifier of this service (if one exists). - /// This id normally changes across restarts, but `service.id` does not. - /// 8a4f500f + /// threat.indicator.file.elf.header.data + /// Data table of the ELF header. + /// /// - public static string ServiceEphemeralId = nameof(ServiceEphemeralId); + public static string ThreatIndicatorFileElfHeaderData = nameof(ThreatIndicatorFileElfHeaderData); /// - /// service.id - /// Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - /// This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - /// Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - /// d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + /// threat.indicator.file.elf.header.entrypoint + /// Header entrypoint of the ELF file. + /// /// - public static string ServiceId = nameof(ServiceId); + public static string ThreatIndicatorFileElfHeaderEntrypoint = nameof(ThreatIndicatorFileElfHeaderEntrypoint); /// - /// service.name - /// Name of the service data is collected from. - /// The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - /// In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - /// elasticsearch-metrics + /// threat.indicator.file.elf.header.object_version + /// "0x1" for original ELF files. + /// /// - public static string ServiceName = nameof(ServiceName); + public static string ThreatIndicatorFileElfHeaderObjectVersion = nameof(ThreatIndicatorFileElfHeaderObjectVersion); /// - /// service.node.name - /// Name of a service node. - /// This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. - /// In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - /// instance-0000000016 + /// threat.indicator.file.elf.header.os_abi + /// Application Binary Interface (ABI) of the Linux OS. + /// /// - public static string ServiceNodeName = nameof(ServiceNodeName); + public static string ThreatIndicatorFileElfHeaderOsAbi = nameof(ThreatIndicatorFileElfHeaderOsAbi); /// - /// service.node.role - /// Deprecated for removal in next major version release. This field will be superseded by `node.roles`. - /// Role of a service node. - /// This allows for distinction between different running roles of the same service. - /// In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. - /// In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. - /// Other services could use this to distinguish between a `web` and `worker` role running as part of the service. - /// background_tasks + /// threat.indicator.file.elf.header.type + /// Header type of the ELF file. + /// /// - public static string ServiceNodeRole = nameof(ServiceNodeRole); + public static string ThreatIndicatorFileElfHeaderType = nameof(ThreatIndicatorFileElfHeaderType); /// - /// service.state - /// Current state of the service. + /// threat.indicator.file.elf.header.version + /// Version of the ELF header. /// /// - public static string ServiceState = nameof(ServiceState); + public static string ThreatIndicatorFileElfHeaderVersion = nameof(ThreatIndicatorFileElfHeaderVersion); /// - /// service.type - /// The type of the service data is collected from. - /// The type can be used to group and correlate logs and metrics from one service type. - /// Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - /// elasticsearch + /// threat.indicator.file.elf.import_hash + /// A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is an ELF implementation of the Windows PE imphash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string ServiceType = nameof(ServiceType); + public static string ThreatIndicatorFileElfImportHash = nameof(ThreatIndicatorFileElfImportHash); /// - /// service.version - /// Version of the service the data was collected from. - /// This allows to look at a data set only for a specific version of a service. - /// 3.2.4 + /// threat.indicator.file.elf.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string ServiceVersion = nameof(ServiceVersion); + public static string ThreatIndicatorFileElfImportsNamesEntropy = nameof(ThreatIndicatorFileElfImportsNamesEntropy); /// - /// source.address - /// Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - /// Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + /// threat.indicator.file.elf.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. /// /// - public static string SourceAddress = nameof(SourceAddress); + public static string ThreatIndicatorFileElfImportsNamesVarEntropy = nameof(ThreatIndicatorFileElfImportsNamesVarEntropy); /// - /// source.bytes - /// Bytes sent from the source to the destination. - /// 184 + /// threat.indicator.file.elf.telfhash + /// telfhash symbol hash for ELF file. + /// /// - public static string SourceBytes = nameof(SourceBytes); + public static string ThreatIndicatorFileElfTelfhash = nameof(ThreatIndicatorFileElfTelfhash); /// - /// source.domain - /// The domain name of the source system. - /// This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - /// foo.example.com + /// threat.indicator.file.macho.go_import_hash + /// A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + /// 10bddcb4cee42080f76c88d9ff964491 /// - public static string SourceDomain = nameof(SourceDomain); + public static string ThreatIndicatorFileMachoGoImportHash = nameof(ThreatIndicatorFileMachoGoImportHash); /// - /// source.ip - /// IP address of the source (IPv4 or IPv6). + /// threat.indicator.file.macho.go_imports + /// List of imported Go language element names and types. /// /// - public static string SourceIp = nameof(SourceIp); + public static string ThreatIndicatorFileMachoGoImports = nameof(ThreatIndicatorFileMachoGoImports); /// - /// source.mac - /// MAC address of the source. - /// The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - /// pattern: - /// 00-00-5E-00-53-23 + /// threat.indicator.file.macho.go_imports_names_entropy + /// Shannon entropy calculation from the list of Go imports. + /// /// - public static string SourceMac = nameof(SourceMac); + public static string ThreatIndicatorFileMachoGoImportsNamesEntropy = nameof(ThreatIndicatorFileMachoGoImportsNamesEntropy); /// - /// source.nat.ip - /// Translated ip of source based NAT sessions (e.g. internal client to internet) - /// Typically connections traversing load balancers, firewalls, or routers. + /// threat.indicator.file.macho.go_imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of Go imports. /// /// - public static string SourceNatIp = nameof(SourceNatIp); + public static string ThreatIndicatorFileMachoGoImportsNamesVarEntropy = nameof(ThreatIndicatorFileMachoGoImportsNamesVarEntropy); /// - /// source.nat.port - /// Translated port of source based NAT sessions. (e.g. internal client to internet) - /// Typically used with load balancers, firewalls, or routers. + /// threat.indicator.file.macho.go_stripped + /// Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. /// /// - public static string SourceNatPort = nameof(SourceNatPort); + public static string ThreatIndicatorFileMachoGoStripped = nameof(ThreatIndicatorFileMachoGoStripped); /// - /// source.packets - /// Packets sent from the source to the destination. - /// 12 + /// threat.indicator.file.macho.import_hash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a synonym for symhash. + /// d41d8cd98f00b204e9800998ecf8427e /// - public static string SourcePackets = nameof(SourcePackets); + public static string ThreatIndicatorFileMachoImportHash = nameof(ThreatIndicatorFileMachoImportHash); /// - /// source.port - /// Port of the source. + /// threat.indicator.file.macho.imports_names_entropy + /// Shannon entropy calculation from the list of imported element names and types. /// /// - public static string SourcePort = nameof(SourcePort); + public static string ThreatIndicatorFileMachoImportsNamesEntropy = nameof(ThreatIndicatorFileMachoImportsNamesEntropy); /// - /// source.registered_domain - /// The highest registered source domain, stripped of the subdomain. - /// For example, the registered domain for "foo.example.com" is "example.com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - /// example.com + /// threat.indicator.file.macho.imports_names_var_entropy + /// Variance for Shannon entropy calculation from the list of imported element names and types. + /// /// - public static string SourceRegisteredDomain = nameof(SourceRegisteredDomain); + public static string ThreatIndicatorFileMachoImportsNamesVarEntropy = nameof(ThreatIndicatorFileMachoImportsNamesVarEntropy); /// - /// source.subdomain - /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - /// east + /// threat.indicator.file.macho.symhash + /// A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + /// This is a Mach-O implementation of the Windows PE imphash + /// d3ccf195b62a9279c3c19af1080497ec /// - public static string SourceSubdomain = nameof(SourceSubdomain); + public static string ThreatIndicatorFileMachoSymhash = nameof(ThreatIndicatorFileMachoSymhash); /// - /// source.top_level_domain - /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - /// co.uk + /// threat.indicator.geo.city_name + /// City name. + /// Montreal /// - public static string SourceTopLevelDomain = nameof(SourceTopLevelDomain); + public static string ThreatIndicatorGeoCityName = nameof(ThreatIndicatorGeoCityName); /// - /// threat.feed.dashboard_id - /// The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. - /// 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f + /// threat.indicator.geo.continent_code + /// Two-letter code representing continent's name. + /// NA /// - public static string ThreatFeedDashboardId = nameof(ThreatFeedDashboardId); + public static string ThreatIndicatorGeoContinentCode = nameof(ThreatIndicatorGeoContinentCode); /// - /// threat.feed.description - /// Description of the threat feed in a UI friendly format. - /// Threat feed from the AlienVault Open Threat eXchange network. + /// threat.indicator.geo.continent_name + /// Name of the continent. + /// North America /// - public static string ThreatFeedDescription = nameof(ThreatFeedDescription); + public static string ThreatIndicatorGeoContinentName = nameof(ThreatIndicatorGeoContinentName); /// - /// threat.feed.name - /// The name of the threat feed in UI friendly format. - /// AlienVault OTX + /// threat.indicator.geo.country_iso_code + /// Country ISO code. + /// CA /// - public static string ThreatFeedName = nameof(ThreatFeedName); + public static string ThreatIndicatorGeoCountryIsoCode = nameof(ThreatIndicatorGeoCountryIsoCode); /// - /// threat.feed.reference - /// Reference information for the threat feed in a UI friendly format. - /// https://otx.alienvault.com + /// threat.indicator.geo.country_name + /// Country name. + /// Canada /// - public static string ThreatFeedReference = nameof(ThreatFeedReference); + public static string ThreatIndicatorGeoCountryName = nameof(ThreatIndicatorGeoCountryName); /// - /// threat.framework - /// Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - /// MITRE ATT&CK + /// threat.indicator.geo.location + /// Longitude and latitude. + /// { "lon": -73.614830, "lat": 45.505918 } /// - public static string ThreatFramework = nameof(ThreatFramework); + public static string ThreatIndicatorGeoLocation = nameof(ThreatIndicatorGeoLocation); /// - /// threat.group.id - /// The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. - /// While not required, you can use a MITRE ATT&CK® group id. - /// G0037 + /// threat.indicator.geo.name + /// User-defined description of a location, at the level of granularity they care about. + /// Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + /// Not typically used in automated geolocation. + /// boston-dc /// - public static string ThreatGroupId = nameof(ThreatGroupId); + public static string ThreatIndicatorGeoName = nameof(ThreatIndicatorGeoName); /// - /// threat.group.name - /// The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. - /// While not required, you can use a MITRE ATT&CK® group name. - /// FIN6 + /// threat.indicator.geo.postal_code + /// Postal code associated with the location. + /// Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + /// 94040 /// - public static string ThreatGroupName = nameof(ThreatGroupName); + public static string ThreatIndicatorGeoPostalCode = nameof(ThreatIndicatorGeoPostalCode); /// - /// threat.group.reference - /// The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. - /// While not required, you can use a MITRE ATT&CK® group reference URL. - /// https://attack.mitre.org/groups/G0037/ + /// threat.indicator.geo.region_iso_code + /// Region ISO code. + /// CA-QC /// - public static string ThreatGroupReference = nameof(ThreatGroupReference); + public static string ThreatIndicatorGeoRegionIsoCode = nameof(ThreatIndicatorGeoRegionIsoCode); /// - /// threat.indicator.confidence - /// Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - ///
Expected Values:
- /// - /// Not Specified - /// None - /// Low - /// Medium - /// High - ///
- /// Medium + /// threat.indicator.geo.region_name + /// Region name. + /// Quebec ///
- public static string ThreatIndicatorConfidence = nameof(ThreatIndicatorConfidence); + public static string ThreatIndicatorGeoRegionName = nameof(ThreatIndicatorGeoRegionName); /// - /// threat.indicator.description - /// Describes the type of action conducted by the threat. - /// IP x.x.x.x was observed delivering the Angler EK. + /// threat.indicator.geo.timezone + /// The time zone of the location, such as IANA time zone name. + /// America/Argentina/Buenos_Aires /// - public static string ThreatIndicatorDescription = nameof(ThreatIndicatorDescription); + public static string ThreatIndicatorGeoTimezone = nameof(ThreatIndicatorGeoTimezone); /// - /// threat.indicator.email.address - /// Identifies a threat indicator as an email address (irrespective of direction). - /// phish@example.com + /// threat.indicator.registry.data.bytes + /// Original bytes written with base64 encoding. + /// For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + /// ZQBuAC0AVQBTAAAAZQBuAAAAAAA= /// - public static string ThreatIndicatorEmailAddress = nameof(ThreatIndicatorEmailAddress); + public static string ThreatIndicatorRegistryDataBytes = nameof(ThreatIndicatorRegistryDataBytes); /// - /// threat.indicator.first_seen - /// The date and time when intelligence source first reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// threat.indicator.registry.data.type + /// Standard registry type for encoding contents + /// REG_SZ /// - public static string ThreatIndicatorFirstSeen = nameof(ThreatIndicatorFirstSeen); + public static string ThreatIndicatorRegistryDataType = nameof(ThreatIndicatorRegistryDataType); /// - /// threat.indicator.ip - /// Identifies a threat indicator as an IP address (irrespective of direction). - /// 1.2.3.4 + /// threat.indicator.registry.hive + /// Abbreviated name for the hive. + /// HKLM /// - public static string ThreatIndicatorIp = nameof(ThreatIndicatorIp); + public static string ThreatIndicatorRegistryHive = nameof(ThreatIndicatorRegistryHive); /// - /// threat.indicator.last_seen - /// The date and time when intelligence source last reported sighting this indicator. - /// 11/5/2020 5:25:47PM + /// threat.indicator.registry.key + /// Hive-relative path of keys. + /// SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + /// + public static string ThreatIndicatorRegistryKey = nameof(ThreatIndicatorRegistryKey); + /// + /// threat.indicator.registry.path + /// Full path, including hive, key and value + /// HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + /// + public static string ThreatIndicatorRegistryPath = nameof(ThreatIndicatorRegistryPath); + /// + /// threat.indicator.registry.value + /// Name of the value written. + /// Debugger /// - public static string ThreatIndicatorLastSeen = nameof(ThreatIndicatorLastSeen); + public static string ThreatIndicatorRegistryValue = nameof(ThreatIndicatorRegistryValue); /// - /// threat.indicator.marking.tlp - /// Traffic Light Protocol sharing markings. - ///
Expected Values:
- /// - /// WHITE - /// CLEAR - /// GREEN - /// AMBER - /// AMBER+STRICT - /// RED - ///
- /// CLEAR + /// threat.indicator.url.domain + /// Domain of the url, such as "www.elastic.co". + /// In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + /// If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + /// www.elastic.co ///
- public static string ThreatIndicatorMarkingTlp = nameof(ThreatIndicatorMarkingTlp); + public static string ThreatIndicatorUrlDomain = nameof(ThreatIndicatorUrlDomain); /// - /// threat.indicator.marking.tlp_version - /// Traffic Light Protocol version. - /// 2.0 + /// threat.indicator.url.extension + /// The field contains the file extension from the original request url, excluding the leading dot. + /// The file extension is only set if it exists, as not every url has a file extension. + /// The leading period must not be included. For example, the value must be "png", not ".png". + /// Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + /// png /// - public static string ThreatIndicatorMarkingTlpVersion = nameof(ThreatIndicatorMarkingTlpVersion); + public static string ThreatIndicatorUrlExtension = nameof(ThreatIndicatorUrlExtension); /// - /// threat.indicator.modified_at - /// The date and time when intelligence source last modified information for this indicator. - /// 11/5/2020 5:25:47PM + /// threat.indicator.url.fragment + /// Portion of the url after the `#`, such as "top". + /// The `#` is not part of the fragment. + /// /// - public static string ThreatIndicatorModifiedAt = nameof(ThreatIndicatorModifiedAt); + public static string ThreatIndicatorUrlFragment = nameof(ThreatIndicatorUrlFragment); /// - /// threat.indicator.name - /// The display name indicator in an UI friendly format - /// URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. - /// 5.2.75.227 + /// threat.indicator.url.full + /// If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + /// https://www.elastic.co:443/search?q=elasticsearch#top /// - public static string ThreatIndicatorName = nameof(ThreatIndicatorName); + public static string ThreatIndicatorUrlFull = nameof(ThreatIndicatorUrlFull); /// - /// threat.indicator.port - /// Identifies a threat indicator as a port number (irrespective of direction). - /// 443 + /// threat.indicator.url.original + /// Unmodified original url as seen in the event source. + /// Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + /// This field is meant to represent the URL as it was observed, complete or not. + /// https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch /// - public static string ThreatIndicatorPort = nameof(ThreatIndicatorPort); + public static string ThreatIndicatorUrlOriginal = nameof(ThreatIndicatorUrlOriginal); /// - /// threat.indicator.provider - /// The name of the indicator's provider. - /// lrz_urlhaus + /// threat.indicator.url.password + /// Password of the request. + /// /// - public static string ThreatIndicatorProvider = nameof(ThreatIndicatorProvider); + public static string ThreatIndicatorUrlPassword = nameof(ThreatIndicatorUrlPassword); /// - /// threat.indicator.reference - /// Reference URL linking to additional information about this indicator. - /// https://system.example.com/indicator/0001234 + /// threat.indicator.url.path + /// Path of the request, such as "/search". + /// /// - public static string ThreatIndicatorReference = nameof(ThreatIndicatorReference); + public static string ThreatIndicatorUrlPath = nameof(ThreatIndicatorUrlPath); /// - /// threat.indicator.scanner_stats - /// Count of AV/EDR vendors that successfully detected malicious file or URL. - /// 4 + /// threat.indicator.url.port + /// Port of the request, such as 443. + /// 443 /// - public static string ThreatIndicatorScannerStats = nameof(ThreatIndicatorScannerStats); + public static string ThreatIndicatorUrlPort = nameof(ThreatIndicatorUrlPort); /// - /// threat.indicator.sightings - /// Number of times this indicator was observed conducting threat activity. - /// 20 + /// threat.indicator.url.query + /// The query field describes the query string of the request, such as "q=elasticsearch". + /// The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + /// /// - public static string ThreatIndicatorSightings = nameof(ThreatIndicatorSightings); + public static string ThreatIndicatorUrlQuery = nameof(ThreatIndicatorUrlQuery); /// - /// threat.indicator.type - /// Type of indicator as represented by Cyber Observable in STIX 2.0. - ///
Expected Values:
- /// - /// autonomous-system - /// artifact - /// directory - /// domain-name - /// email-addr - /// file - /// ipv4-addr - /// ipv6-addr - /// mac-addr - /// mutex - /// port - /// process - /// software - /// url - /// user-account - /// windows-registry-key - /// x509-certificate - ///
- /// ipv4-addr + /// threat.indicator.url.registered_domain + /// The highest registered url domain, stripped of the subdomain. + /// For example, the registered domain for "foo.example.com" is "example.com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + /// example.com ///
- public static string ThreatIndicatorType = nameof(ThreatIndicatorType); + public static string ThreatIndicatorUrlRegisteredDomain = nameof(ThreatIndicatorUrlRegisteredDomain); /// - /// threat.software.id - /// The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software id. - /// S0552 + /// threat.indicator.url.scheme + /// Scheme of the request, such as "https". + /// Note: The `:` is not part of the scheme. + /// https /// - public static string ThreatSoftwareId = nameof(ThreatSoftwareId); + public static string ThreatIndicatorUrlScheme = nameof(ThreatIndicatorUrlScheme); /// - /// threat.software.name - /// The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software name. - /// AdFind + /// threat.indicator.url.subdomain + /// The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + /// For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + /// east /// - public static string ThreatSoftwareName = nameof(ThreatSoftwareName); + public static string ThreatIndicatorUrlSubdomain = nameof(ThreatIndicatorUrlSubdomain); /// - /// threat.software.reference - /// The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software reference URL. - /// https://attack.mitre.org/software/S0552/ + /// threat.indicator.url.top_level_domain + /// The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + /// This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + /// co.uk /// - public static string ThreatSoftwareReference = nameof(ThreatSoftwareReference); + public static string ThreatIndicatorUrlTopLevelDomain = nameof(ThreatIndicatorUrlTopLevelDomain); /// - /// threat.software.type - /// The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - /// While not required, you can use a MITRE ATT&CK® software type. - ///
Expected Values:
- /// - /// Malware - /// Tool - ///
- /// Tool + /// threat.indicator.url.username + /// Username of the request. + /// ///
- public static string ThreatSoftwareType = nameof(ThreatSoftwareType); + public static string ThreatIndicatorUrlUsername = nameof(ThreatIndicatorUrlUsername); /// /// tls.cipher /// String indicating the cipher used during the current connection. @@ -2850,13 +6441,13 @@ public static class LogTemplateProperties /// /// tls.client.not_after /// Date/Time indicating when client certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// public static string TlsClientNotAfter = nameof(TlsClientNotAfter); /// /// tls.client.not_before /// Date/Time indicating when client certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// public static string TlsClientNotBefore = nameof(TlsClientNotBefore); /// @@ -2934,13 +6525,13 @@ public static class LogTemplateProperties /// /// tls.server.not_after /// Timestamp indicating when server certificate is no longer considered valid. - /// 1/1/2021 12:00:00AM + /// 1/1/2021 12:00:00 AM /// public static string TlsServerNotAfter = nameof(TlsServerNotAfter); /// /// tls.server.not_before /// Timestamp indicating when server certificate is first considered valid. - /// 1/1/1970 12:00:00AM + /// 1/1/1970 12:00:00 AM /// public static string TlsServerNotBefore = nameof(TlsServerNotBefore); /// @@ -2962,6 +6553,73 @@ public static class LogTemplateProperties /// public static string TlsVersionProtocol = nameof(TlsVersionProtocol); /// + /// tls.client.x509.issuer.distinguished_name + /// Distinguished name (DN) of issuing certificate authority. + /// C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + /// + public static string TlsClientX509IssuerDistinguishedName = nameof(TlsClientX509IssuerDistinguishedName); + /// + /// tls.client.x509.not_after + /// Time at which the certificate is no longer considered valid. + /// 7/16/2020 3:15:39 AM + /// + public static string TlsClientX509NotAfter = nameof(TlsClientX509NotAfter); + /// + /// tls.client.x509.not_before + /// Time at which the certificate is first considered valid. + /// 8/16/2019 1:40:25 AM + /// + public static string TlsClientX509NotBefore = nameof(TlsClientX509NotBefore); + /// + /// tls.client.x509.public_key_algorithm + /// Algorithm used to generate the public key. + /// RSA + /// + public static string TlsClientX509PublicKeyAlgorithm = nameof(TlsClientX509PublicKeyAlgorithm); + /// + /// tls.client.x509.public_key_curve + /// The curve used by the elliptic curve public key algorithm. This is algorithm specific. + /// nistp521 + /// + public static string TlsClientX509PublicKeyCurve = nameof(TlsClientX509PublicKeyCurve); + /// + /// tls.client.x509.public_key_exponent + /// Exponent used to derive the public key. This is algorithm specific. + ///
Stored but not available for search in Elasticsearch by default
+ /// 65537 + ///
+ public static string TlsClientX509PublicKeyExponent = nameof(TlsClientX509PublicKeyExponent); + /// + /// tls.client.x509.public_key_size + /// The size of the public key space in bits. + /// 2048 + /// + public static string TlsClientX509PublicKeySize = nameof(TlsClientX509PublicKeySize); + /// + /// tls.client.x509.serial_number + /// Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + /// 55FBB9C7DEBF09809D12CCAA + /// + public static string TlsClientX509SerialNumber = nameof(TlsClientX509SerialNumber); + /// + /// tls.client.x509.signature_algorithm + /// Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + /// SHA256-RSA + /// + public static string TlsClientX509SignatureAlgorithm = nameof(TlsClientX509SignatureAlgorithm); + /// + /// tls.client.x509.subject.distinguished_name + /// Distinguished name (DN) of the certificate subject entity. + /// C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + /// + public static string TlsClientX509SubjectDistinguishedName = nameof(TlsClientX509SubjectDistinguishedName); + /// + /// tls.client.x509.version_number + /// Version of x509 format. + /// 3 + /// + public static string TlsClientX509VersionNumber = nameof(TlsClientX509VersionNumber); + /// /// url.domain /// Domain of the url, such as "www.elastic.co". /// In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. @@ -3098,6 +6756,61 @@ public static class LogTemplateProperties /// public static string UserName = nameof(UserName); /// + /// user.group.domain + /// Name of the directory the group is a member of. + /// For example, an LDAP or Active Directory domain name. + /// + /// + public static string UserGroupDomain = nameof(UserGroupDomain); + /// + /// user.group.id + /// Unique identifier for the group on the system/platform. + /// + /// + public static string UserGroupId = nameof(UserGroupId); + /// + /// user.group.name + /// Name of the group. + /// + /// + public static string UserGroupName = nameof(UserGroupName); + /// + /// user.risk.calculated_level + /// A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + /// High + /// + public static string UserRiskCalculatedLevel = nameof(UserRiskCalculatedLevel); + /// + /// user.risk.calculated_score + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + /// 880.73 + /// + public static string UserRiskCalculatedScore = nameof(UserRiskCalculatedScore); + /// + /// user.risk.calculated_score_norm + /// A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + /// 88.73 + /// + public static string UserRiskCalculatedScoreNorm = nameof(UserRiskCalculatedScoreNorm); + /// + /// user.risk.static_level + /// A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + /// High + /// + public static string UserRiskStaticLevel = nameof(UserRiskStaticLevel); + /// + /// user.risk.static_score + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + /// 830.0 + /// + public static string UserRiskStaticScore = nameof(UserRiskStaticScore); + /// + /// user.risk.static_score_norm + /// A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + /// 83.0 + /// + public static string UserRiskStaticScoreNorm = nameof(UserRiskStaticScoreNorm); + /// /// user_agent.device.name /// Name of the device. /// iPhone @@ -3122,6 +6835,58 @@ public static class LogTemplateProperties /// public static string UserAgentVersion = nameof(UserAgentVersion); /// + /// user_agent.os.family + /// OS family (such as redhat, debian, freebsd, windows). + /// debian + /// + public static string UserAgentOsFamily = nameof(UserAgentOsFamily); + /// + /// user_agent.os.full + /// Operating system name, including the version or code name. + /// Mac OS Mojave + /// + public static string UserAgentOsFull = nameof(UserAgentOsFull); + /// + /// user_agent.os.kernel + /// Operating system kernel version as a raw string. + /// 4.4.0-112-generic + /// + public static string UserAgentOsKernel = nameof(UserAgentOsKernel); + /// + /// user_agent.os.name + /// Operating system name, without the version. + /// Mac OS X + /// + public static string UserAgentOsName = nameof(UserAgentOsName); + /// + /// user_agent.os.platform + /// Operating system platform (such centos, ubuntu, windows). + /// darwin + /// + public static string UserAgentOsPlatform = nameof(UserAgentOsPlatform); + /// + /// user_agent.os.type + /// Use the `os.type` field to categorize the operating system into one of the broad commercial families. + /// If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + ///
Expected Values:
+ /// + /// linux + /// macos + /// unix + /// windows + /// ios + /// android + ///
+ /// macos + ///
+ public static string UserAgentOsType = nameof(UserAgentOsType); + /// + /// user_agent.os.version + /// Operating system version as a raw string. + /// 10.14.1 + /// + public static string UserAgentOsVersion = nameof(UserAgentOsVersion); + /// /// vlan.id /// VLAN ID as reported by the observer. /// 10 @@ -3218,13 +6983,13 @@ public static class LogTemplateProperties /// /// x509.not_after /// Time at which the certificate is no longer considered valid. - /// 7/16/2020 3:15:39AM + /// 7/16/2020 3:15:39 AM /// public static string X509NotAfter = nameof(X509NotAfter); /// /// x509.not_before /// Time at which the certificate is first considered valid. - /// 8/16/2019 1:40:25AM + /// 8/16/2019 1:40:25 AM /// public static string X509NotBefore = nameof(X509NotBefore); /// @@ -3305,6 +7070,34 @@ public static class LogTemplateProperties "client.registered_domain", ClientRegisteredDomain, "client.subdomain", ClientSubdomain, "client.top_level_domain", ClientTopLevelDomain, + "client.as.number", ClientAsNumber, + "client.as.organization.name", ClientAsOrganizationName, + "client.geo.city_name", ClientGeoCityName, + "client.geo.continent_code", ClientGeoContinentCode, + "client.geo.continent_name", ClientGeoContinentName, + "client.geo.country_iso_code", ClientGeoCountryIsoCode, + "client.geo.country_name", ClientGeoCountryName, + "client.geo.location", ClientGeoLocation, + "client.geo.name", ClientGeoName, + "client.geo.postal_code", ClientGeoPostalCode, + "client.geo.region_iso_code", ClientGeoRegionIsoCode, + "client.geo.region_name", ClientGeoRegionName, + "client.geo.timezone", ClientGeoTimezone, + "client.user.domain", ClientUserDomain, + "client.user.email", ClientUserEmail, + "client.user.full_name", ClientUserFullName, + "client.user.hash", ClientUserHash, + "client.user.id", ClientUserId, + "client.user.name", ClientUserName, + "client.user.group.domain", ClientUserGroupDomain, + "client.user.group.id", ClientUserGroupId, + "client.user.group.name", ClientUserGroupName, + "client.user.risk.calculated_level", ClientUserRiskCalculatedLevel, + "client.user.risk.calculated_score", ClientUserRiskCalculatedScore, + "client.user.risk.calculated_score_norm", ClientUserRiskCalculatedScoreNorm, + "client.user.risk.static_level", ClientUserRiskStaticLevel, + "client.user.risk.static_score", ClientUserRiskStaticScore, + "client.user.risk.static_score_norm", ClientUserRiskStaticScoreNorm, "cloud.account.id", CloudAccountId, "cloud.account.name", CloudAccountName, "cloud.availability_zone", CloudAvailabilityZone, @@ -3351,12 +7144,72 @@ public static class LogTemplateProperties "destination.registered_domain", DestinationRegisteredDomain, "destination.subdomain", DestinationSubdomain, "destination.top_level_domain", DestinationTopLevelDomain, + "destination.as.number", DestinationAsNumber, + "destination.as.organization.name", DestinationAsOrganizationName, + "destination.geo.city_name", DestinationGeoCityName, + "destination.geo.continent_code", DestinationGeoContinentCode, + "destination.geo.continent_name", DestinationGeoContinentName, + "destination.geo.country_iso_code", DestinationGeoCountryIsoCode, + "destination.geo.country_name", DestinationGeoCountryName, + "destination.geo.location", DestinationGeoLocation, + "destination.geo.name", DestinationGeoName, + "destination.geo.postal_code", DestinationGeoPostalCode, + "destination.geo.region_iso_code", DestinationGeoRegionIsoCode, + "destination.geo.region_name", DestinationGeoRegionName, + "destination.geo.timezone", DestinationGeoTimezone, + "destination.user.domain", DestinationUserDomain, + "destination.user.email", DestinationUserEmail, + "destination.user.full_name", DestinationUserFullName, + "destination.user.hash", DestinationUserHash, + "destination.user.id", DestinationUserId, + "destination.user.name", DestinationUserName, + "destination.user.group.domain", DestinationUserGroupDomain, + "destination.user.group.id", DestinationUserGroupId, + "destination.user.group.name", DestinationUserGroupName, + "destination.user.risk.calculated_level", DestinationUserRiskCalculatedLevel, + "destination.user.risk.calculated_score", DestinationUserRiskCalculatedScore, + "destination.user.risk.calculated_score_norm", DestinationUserRiskCalculatedScoreNorm, + "destination.user.risk.static_level", DestinationUserRiskStaticLevel, + "destination.user.risk.static_score", DestinationUserRiskStaticScore, + "destination.user.risk.static_score_norm", DestinationUserRiskStaticScoreNorm, "device.id", DeviceId, "device.manufacturer", DeviceManufacturer, "device.model.identifier", DeviceModelIdentifier, "device.model.name", DeviceModelName, "dll.name", DllName, "dll.path", DllPath, + "dll.hash.md5", DllHashMd5, + "dll.hash.sha1", DllHashSha1, + "dll.hash.sha256", DllHashSha256, + "dll.hash.sha384", DllHashSha384, + "dll.hash.sha512", DllHashSha512, + "dll.hash.ssdeep", DllHashSsdeep, + "dll.hash.tlsh", DllHashTlsh, + "dll.pe.architecture", DllPeArchitecture, + "dll.pe.company", DllPeCompany, + "dll.pe.description", DllPeDescription, + "dll.pe.file_version", DllPeFileVersion, + "dll.pe.go_import_hash", DllPeGoImportHash, + "dll.pe.go_imports", DllPeGoImports, + "dll.pe.go_imports_names_entropy", DllPeGoImportsNamesEntropy, + "dll.pe.go_imports_names_var_entropy", DllPeGoImportsNamesVarEntropy, + "dll.pe.go_stripped", DllPeGoStripped, + "dll.pe.imphash", DllPeImphash, + "dll.pe.import_hash", DllPeImportHash, + "dll.pe.imports_names_entropy", DllPeImportsNamesEntropy, + "dll.pe.imports_names_var_entropy", DllPeImportsNamesVarEntropy, + "dll.pe.original_file_name", DllPeOriginalFileName, + "dll.pe.pehash", DllPePehash, + "dll.pe.product", DllPeProduct, + "dll.code_signature.digest_algorithm", DllCodeSignatureDigestAlgorithm, + "dll.code_signature.exists", DllCodeSignatureExists, + "dll.code_signature.signing_id", DllCodeSignatureSigningId, + "dll.code_signature.status", DllCodeSignatureStatus, + "dll.code_signature.subject_name", DllCodeSignatureSubjectName, + "dll.code_signature.team_id", DllCodeSignatureTeamId, + "dll.code_signature.timestamp", DllCodeSignatureTimestamp, + "dll.code_signature.trusted", DllCodeSignatureTrusted, + "dll.code_signature.valid", DllCodeSignatureValid, "dns.id", DnsId, "dns.op_code", DnsOpCode, "dns.question.class", DnsQuestionClass, @@ -3455,11 +7308,85 @@ public static class LogTemplateProperties "file.target_path", FileTargetPath, "file.type", FileType, "file.uid", FileUid, + "file.hash.md5", FileHashMd5, + "file.hash.sha1", FileHashSha1, + "file.hash.sha256", FileHashSha256, + "file.hash.sha384", FileHashSha384, + "file.hash.sha512", FileHashSha512, + "file.hash.ssdeep", FileHashSsdeep, + "file.hash.tlsh", FileHashTlsh, + "file.pe.architecture", FilePeArchitecture, + "file.pe.company", FilePeCompany, + "file.pe.description", FilePeDescription, + "file.pe.file_version", FilePeFileVersion, + "file.pe.go_import_hash", FilePeGoImportHash, + "file.pe.go_imports", FilePeGoImports, + "file.pe.go_imports_names_entropy", FilePeGoImportsNamesEntropy, + "file.pe.go_imports_names_var_entropy", FilePeGoImportsNamesVarEntropy, + "file.pe.go_stripped", FilePeGoStripped, + "file.pe.imphash", FilePeImphash, + "file.pe.import_hash", FilePeImportHash, + "file.pe.imports_names_entropy", FilePeImportsNamesEntropy, + "file.pe.imports_names_var_entropy", FilePeImportsNamesVarEntropy, + "file.pe.original_file_name", FilePeOriginalFileName, + "file.pe.pehash", FilePePehash, + "file.pe.product", FilePeProduct, + "file.x509.issuer.distinguished_name", FileX509IssuerDistinguishedName, + "file.x509.not_after", FileX509NotAfter, + "file.x509.not_before", FileX509NotBefore, + "file.x509.public_key_algorithm", FileX509PublicKeyAlgorithm, + "file.x509.public_key_curve", FileX509PublicKeyCurve, + "file.x509.public_key_exponent", FileX509PublicKeyExponent, + "file.x509.public_key_size", FileX509PublicKeySize, + "file.x509.serial_number", FileX509SerialNumber, + "file.x509.signature_algorithm", FileX509SignatureAlgorithm, + "file.x509.subject.distinguished_name", FileX509SubjectDistinguishedName, + "file.x509.version_number", FileX509VersionNumber, + "file.code_signature.digest_algorithm", FileCodeSignatureDigestAlgorithm, + "file.code_signature.exists", FileCodeSignatureExists, + "file.code_signature.signing_id", FileCodeSignatureSigningId, + "file.code_signature.status", FileCodeSignatureStatus, + "file.code_signature.subject_name", FileCodeSignatureSubjectName, + "file.code_signature.team_id", FileCodeSignatureTeamId, + "file.code_signature.timestamp", FileCodeSignatureTimestamp, + "file.code_signature.trusted", FileCodeSignatureTrusted, + "file.code_signature.valid", FileCodeSignatureValid, + "file.elf.architecture", FileElfArchitecture, + "file.elf.byte_order", FileElfByteOrder, + "file.elf.cpu_type", FileElfCpuType, + "file.elf.creation_date", FileElfCreationDate, + "file.elf.go_import_hash", FileElfGoImportHash, + "file.elf.go_imports", FileElfGoImports, + "file.elf.go_imports_names_entropy", FileElfGoImportsNamesEntropy, + "file.elf.go_imports_names_var_entropy", FileElfGoImportsNamesVarEntropy, + "file.elf.go_stripped", FileElfGoStripped, + "file.elf.header.abi_version", FileElfHeaderAbiVersion, + "file.elf.header.class", FileElfHeaderClass, + "file.elf.header.data", FileElfHeaderData, + "file.elf.header.entrypoint", FileElfHeaderEntrypoint, + "file.elf.header.object_version", FileElfHeaderObjectVersion, + "file.elf.header.os_abi", FileElfHeaderOsAbi, + "file.elf.header.type", FileElfHeaderType, + "file.elf.header.version", FileElfHeaderVersion, + "file.elf.import_hash", FileElfImportHash, + "file.elf.imports_names_entropy", FileElfImportsNamesEntropy, + "file.elf.imports_names_var_entropy", FileElfImportsNamesVarEntropy, + "file.elf.telfhash", FileElfTelfhash, + "file.macho.go_import_hash", FileMachoGoImportHash, + "file.macho.go_imports", FileMachoGoImports, + "file.macho.go_imports_names_entropy", FileMachoGoImportsNamesEntropy, + "file.macho.go_imports_names_var_entropy", FileMachoGoImportsNamesVarEntropy, + "file.macho.go_stripped", FileMachoGoStripped, + "file.macho.import_hash", FileMachoImportHash, + "file.macho.imports_names_entropy", FileMachoImportsNamesEntropy, + "file.macho.imports_names_var_entropy", FileMachoImportsNamesVarEntropy, + "file.macho.symhash", FileMachoSymhash, "geo.city_name", GeoCityName, "geo.continent_code", GeoContinentCode, "geo.continent_name", GeoContinentName, "geo.country_iso_code", GeoCountryIsoCode, "geo.country_name", GeoCountryName, + "geo.location", GeoLocation, "geo.name", GeoName, "geo.postal_code", GeoPostalCode, "geo.region_iso_code", GeoRegionIsoCode, @@ -3491,6 +7418,30 @@ public static class LogTemplateProperties "host.pid_ns_ino", HostPidNsIno, "host.type", HostType, "host.uptime", HostUptime, + "host.geo.city_name", HostGeoCityName, + "host.geo.continent_code", HostGeoContinentCode, + "host.geo.continent_name", HostGeoContinentName, + "host.geo.country_iso_code", HostGeoCountryIsoCode, + "host.geo.country_name", HostGeoCountryName, + "host.geo.location", HostGeoLocation, + "host.geo.name", HostGeoName, + "host.geo.postal_code", HostGeoPostalCode, + "host.geo.region_iso_code", HostGeoRegionIsoCode, + "host.geo.region_name", HostGeoRegionName, + "host.geo.timezone", HostGeoTimezone, + "host.os.family", HostOsFamily, + "host.os.full", HostOsFull, + "host.os.kernel", HostOsKernel, + "host.os.name", HostOsName, + "host.os.platform", HostOsPlatform, + "host.os.type", HostOsType, + "host.os.version", HostOsVersion, + "host.risk.calculated_level", HostRiskCalculatedLevel, + "host.risk.calculated_score", HostRiskCalculatedScore, + "host.risk.calculated_score_norm", HostRiskCalculatedScoreNorm, + "host.risk.static_level", HostRiskStaticLevel, + "host.risk.static_score", HostRiskStaticScore, + "host.risk.static_score_norm", HostRiskStaticScoreNorm, "http.request.body.bytes", HttpRequestBodyBytes, "http.request.body.content", HttpRequestBodyContent, "http.request.bytes", HttpRequestBytes, @@ -3533,6 +7484,8 @@ public static class LogTemplateProperties "network.protocol", NetworkProtocol, "network.transport", NetworkTransport, "network.type", NetworkType, + "network.vlan.id", NetworkVlanId, + "network.vlan.name", NetworkVlanName, "observer.hostname", ObserverHostname, "observer.name", ObserverName, "observer.product", ObserverProduct, @@ -3540,6 +7493,24 @@ public static class LogTemplateProperties "observer.type", ObserverType, "observer.vendor", ObserverVendor, "observer.version", ObserverVersion, + "observer.geo.city_name", ObserverGeoCityName, + "observer.geo.continent_code", ObserverGeoContinentCode, + "observer.geo.continent_name", ObserverGeoContinentName, + "observer.geo.country_iso_code", ObserverGeoCountryIsoCode, + "observer.geo.country_name", ObserverGeoCountryName, + "observer.geo.location", ObserverGeoLocation, + "observer.geo.name", ObserverGeoName, + "observer.geo.postal_code", ObserverGeoPostalCode, + "observer.geo.region_iso_code", ObserverGeoRegionIsoCode, + "observer.geo.region_name", ObserverGeoRegionName, + "observer.geo.timezone", ObserverGeoTimezone, + "observer.os.family", ObserverOsFamily, + "observer.os.full", ObserverOsFull, + "observer.os.kernel", ObserverOsKernel, + "observer.os.name", ObserverOsName, + "observer.os.platform", ObserverOsPlatform, + "observer.os.type", ObserverOsType, + "observer.os.version", ObserverOsVersion, "orchestrator.api_version", OrchestratorApiVersion, "orchestrator.cluster.id", OrchestratorClusterId, "orchestrator.cluster.name", OrchestratorClusterName, @@ -3607,6 +7578,177 @@ public static class LogTemplateProperties "process.uptime", ProcessUptime, "process.vpid", ProcessVpid, "process.working_directory", ProcessWorkingDirectory, + "process.group.domain", ProcessGroupDomain, + "process.group.id", ProcessGroupId, + "process.group.name", ProcessGroupName, + "process.real_group.domain", ProcessRealGroupDomain, + "process.real_group.id", ProcessRealGroupId, + "process.real_group.name", ProcessRealGroupName, + "process.saved_group.domain", ProcessSavedGroupDomain, + "process.saved_group.id", ProcessSavedGroupId, + "process.saved_group.name", ProcessSavedGroupName, + "process.hash.md5", ProcessHashMd5, + "process.hash.sha1", ProcessHashSha1, + "process.hash.sha256", ProcessHashSha256, + "process.hash.sha384", ProcessHashSha384, + "process.hash.sha512", ProcessHashSha512, + "process.hash.ssdeep", ProcessHashSsdeep, + "process.hash.tlsh", ProcessHashTlsh, + "process.pe.architecture", ProcessPeArchitecture, + "process.pe.company", ProcessPeCompany, + "process.pe.description", ProcessPeDescription, + "process.pe.file_version", ProcessPeFileVersion, + "process.pe.go_import_hash", ProcessPeGoImportHash, + "process.pe.go_imports", ProcessPeGoImports, + "process.pe.go_imports_names_entropy", ProcessPeGoImportsNamesEntropy, + "process.pe.go_imports_names_var_entropy", ProcessPeGoImportsNamesVarEntropy, + "process.pe.go_stripped", ProcessPeGoStripped, + "process.pe.imphash", ProcessPeImphash, + "process.pe.import_hash", ProcessPeImportHash, + "process.pe.imports_names_entropy", ProcessPeImportsNamesEntropy, + "process.pe.imports_names_var_entropy", ProcessPeImportsNamesVarEntropy, + "process.pe.original_file_name", ProcessPeOriginalFileName, + "process.pe.pehash", ProcessPePehash, + "process.pe.product", ProcessPeProduct, + "process.code_signature.digest_algorithm", ProcessCodeSignatureDigestAlgorithm, + "process.code_signature.exists", ProcessCodeSignatureExists, + "process.code_signature.signing_id", ProcessCodeSignatureSigningId, + "process.code_signature.status", ProcessCodeSignatureStatus, + "process.code_signature.subject_name", ProcessCodeSignatureSubjectName, + "process.code_signature.team_id", ProcessCodeSignatureTeamId, + "process.code_signature.timestamp", ProcessCodeSignatureTimestamp, + "process.code_signature.trusted", ProcessCodeSignatureTrusted, + "process.code_signature.valid", ProcessCodeSignatureValid, + "process.elf.architecture", ProcessElfArchitecture, + "process.elf.byte_order", ProcessElfByteOrder, + "process.elf.cpu_type", ProcessElfCpuType, + "process.elf.creation_date", ProcessElfCreationDate, + "process.elf.go_import_hash", ProcessElfGoImportHash, + "process.elf.go_imports", ProcessElfGoImports, + "process.elf.go_imports_names_entropy", ProcessElfGoImportsNamesEntropy, + "process.elf.go_imports_names_var_entropy", ProcessElfGoImportsNamesVarEntropy, + "process.elf.go_stripped", ProcessElfGoStripped, + "process.elf.header.abi_version", ProcessElfHeaderAbiVersion, + "process.elf.header.class", ProcessElfHeaderClass, + "process.elf.header.data", ProcessElfHeaderData, + "process.elf.header.entrypoint", ProcessElfHeaderEntrypoint, + "process.elf.header.object_version", ProcessElfHeaderObjectVersion, + "process.elf.header.os_abi", ProcessElfHeaderOsAbi, + "process.elf.header.type", ProcessElfHeaderType, + "process.elf.header.version", ProcessElfHeaderVersion, + "process.elf.import_hash", ProcessElfImportHash, + "process.elf.imports_names_entropy", ProcessElfImportsNamesEntropy, + "process.elf.imports_names_var_entropy", ProcessElfImportsNamesVarEntropy, + "process.elf.telfhash", ProcessElfTelfhash, + "process.macho.go_import_hash", ProcessMachoGoImportHash, + "process.macho.go_imports", ProcessMachoGoImports, + "process.macho.go_imports_names_entropy", ProcessMachoGoImportsNamesEntropy, + "process.macho.go_imports_names_var_entropy", ProcessMachoGoImportsNamesVarEntropy, + "process.macho.go_stripped", ProcessMachoGoStripped, + "process.macho.import_hash", ProcessMachoImportHash, + "process.macho.imports_names_entropy", ProcessMachoImportsNamesEntropy, + "process.macho.imports_names_var_entropy", ProcessMachoImportsNamesVarEntropy, + "process.macho.symhash", ProcessMachoSymhash, + "process.entry_meta.source.address", ProcessEntryMetaSourceAddress, + "process.entry_meta.source.bytes", ProcessEntryMetaSourceBytes, + "process.entry_meta.source.domain", ProcessEntryMetaSourceDomain, + "process.entry_meta.source.ip", ProcessEntryMetaSourceIp, + "process.entry_meta.source.mac", ProcessEntryMetaSourceMac, + "process.entry_meta.source.nat.ip", ProcessEntryMetaSourceNatIp, + "process.entry_meta.source.nat.port", ProcessEntryMetaSourceNatPort, + "process.entry_meta.source.packets", ProcessEntryMetaSourcePackets, + "process.entry_meta.source.port", ProcessEntryMetaSourcePort, + "process.entry_meta.source.registered_domain", ProcessEntryMetaSourceRegisteredDomain, + "process.entry_meta.source.subdomain", ProcessEntryMetaSourceSubdomain, + "process.entry_meta.source.top_level_domain", ProcessEntryMetaSourceTopLevelDomain, + "process.entry_meta.source.as.number", ProcessEntryMetaSourceAsNumber, + "process.entry_meta.source.as.organization.name", ProcessEntryMetaSourceAsOrganizationName, + "process.entry_meta.source.geo.city_name", ProcessEntryMetaSourceGeoCityName, + "process.entry_meta.source.geo.continent_code", ProcessEntryMetaSourceGeoContinentCode, + "process.entry_meta.source.geo.continent_name", ProcessEntryMetaSourceGeoContinentName, + "process.entry_meta.source.geo.country_iso_code", ProcessEntryMetaSourceGeoCountryIsoCode, + "process.entry_meta.source.geo.country_name", ProcessEntryMetaSourceGeoCountryName, + "process.entry_meta.source.geo.location", ProcessEntryMetaSourceGeoLocation, + "process.entry_meta.source.geo.name", ProcessEntryMetaSourceGeoName, + "process.entry_meta.source.geo.postal_code", ProcessEntryMetaSourceGeoPostalCode, + "process.entry_meta.source.geo.region_iso_code", ProcessEntryMetaSourceGeoRegionIsoCode, + "process.entry_meta.source.geo.region_name", ProcessEntryMetaSourceGeoRegionName, + "process.entry_meta.source.geo.timezone", ProcessEntryMetaSourceGeoTimezone, + "process.entry_meta.source.user.domain", ProcessEntryMetaSourceUserDomain, + "process.entry_meta.source.user.email", ProcessEntryMetaSourceUserEmail, + "process.entry_meta.source.user.full_name", ProcessEntryMetaSourceUserFullName, + "process.entry_meta.source.user.hash", ProcessEntryMetaSourceUserHash, + "process.entry_meta.source.user.id", ProcessEntryMetaSourceUserId, + "process.entry_meta.source.user.name", ProcessEntryMetaSourceUserName, + "process.entry_meta.source.user.group.domain", ProcessEntryMetaSourceUserGroupDomain, + "process.entry_meta.source.user.group.id", ProcessEntryMetaSourceUserGroupId, + "process.entry_meta.source.user.group.name", ProcessEntryMetaSourceUserGroupName, + "process.entry_meta.source.user.risk.calculated_level", ProcessEntryMetaSourceUserRiskCalculatedLevel, + "process.entry_meta.source.user.risk.calculated_score", ProcessEntryMetaSourceUserRiskCalculatedScore, + "process.entry_meta.source.user.risk.calculated_score_norm", ProcessEntryMetaSourceUserRiskCalculatedScoreNorm, + "process.entry_meta.source.user.risk.static_level", ProcessEntryMetaSourceUserRiskStaticLevel, + "process.entry_meta.source.user.risk.static_score", ProcessEntryMetaSourceUserRiskStaticScore, + "process.entry_meta.source.user.risk.static_score_norm", ProcessEntryMetaSourceUserRiskStaticScoreNorm, + "process.user.domain", ProcessUserDomain, + "process.user.email", ProcessUserEmail, + "process.user.full_name", ProcessUserFullName, + "process.user.hash", ProcessUserHash, + "process.user.id", ProcessUserId, + "process.user.name", ProcessUserName, + "process.user.group.domain", ProcessUserGroupDomain, + "process.user.group.id", ProcessUserGroupId, + "process.user.group.name", ProcessUserGroupName, + "process.user.risk.calculated_level", ProcessUserRiskCalculatedLevel, + "process.user.risk.calculated_score", ProcessUserRiskCalculatedScore, + "process.user.risk.calculated_score_norm", ProcessUserRiskCalculatedScoreNorm, + "process.user.risk.static_level", ProcessUserRiskStaticLevel, + "process.user.risk.static_score", ProcessUserRiskStaticScore, + "process.user.risk.static_score_norm", ProcessUserRiskStaticScoreNorm, + "process.saved_user.domain", ProcessSavedUserDomain, + "process.saved_user.email", ProcessSavedUserEmail, + "process.saved_user.full_name", ProcessSavedUserFullName, + "process.saved_user.hash", ProcessSavedUserHash, + "process.saved_user.id", ProcessSavedUserId, + "process.saved_user.name", ProcessSavedUserName, + "process.saved_user.group.domain", ProcessSavedUserGroupDomain, + "process.saved_user.group.id", ProcessSavedUserGroupId, + "process.saved_user.group.name", ProcessSavedUserGroupName, + "process.saved_user.risk.calculated_level", ProcessSavedUserRiskCalculatedLevel, + "process.saved_user.risk.calculated_score", ProcessSavedUserRiskCalculatedScore, + "process.saved_user.risk.calculated_score_norm", ProcessSavedUserRiskCalculatedScoreNorm, + "process.saved_user.risk.static_level", ProcessSavedUserRiskStaticLevel, + "process.saved_user.risk.static_score", ProcessSavedUserRiskStaticScore, + "process.saved_user.risk.static_score_norm", ProcessSavedUserRiskStaticScoreNorm, + "process.real_user.domain", ProcessRealUserDomain, + "process.real_user.email", ProcessRealUserEmail, + "process.real_user.full_name", ProcessRealUserFullName, + "process.real_user.hash", ProcessRealUserHash, + "process.real_user.id", ProcessRealUserId, + "process.real_user.name", ProcessRealUserName, + "process.real_user.group.domain", ProcessRealUserGroupDomain, + "process.real_user.group.id", ProcessRealUserGroupId, + "process.real_user.group.name", ProcessRealUserGroupName, + "process.real_user.risk.calculated_level", ProcessRealUserRiskCalculatedLevel, + "process.real_user.risk.calculated_score", ProcessRealUserRiskCalculatedScore, + "process.real_user.risk.calculated_score_norm", ProcessRealUserRiskCalculatedScoreNorm, + "process.real_user.risk.static_level", ProcessRealUserRiskStaticLevel, + "process.real_user.risk.static_score", ProcessRealUserRiskStaticScore, + "process.real_user.risk.static_score_norm", ProcessRealUserRiskStaticScoreNorm, + "process.attested_user.domain", ProcessAttestedUserDomain, + "process.attested_user.email", ProcessAttestedUserEmail, + "process.attested_user.full_name", ProcessAttestedUserFullName, + "process.attested_user.hash", ProcessAttestedUserHash, + "process.attested_user.id", ProcessAttestedUserId, + "process.attested_user.name", ProcessAttestedUserName, + "process.attested_user.group.domain", ProcessAttestedUserGroupDomain, + "process.attested_user.group.id", ProcessAttestedUserGroupId, + "process.attested_user.group.name", ProcessAttestedUserGroupName, + "process.attested_user.risk.calculated_level", ProcessAttestedUserRiskCalculatedLevel, + "process.attested_user.risk.calculated_score", ProcessAttestedUserRiskCalculatedScore, + "process.attested_user.risk.calculated_score_norm", ProcessAttestedUserRiskCalculatedScoreNorm, + "process.attested_user.risk.static_level", ProcessAttestedUserRiskStaticLevel, + "process.attested_user.risk.static_score", ProcessAttestedUserRiskStaticScore, + "process.attested_user.risk.static_score_norm", ProcessAttestedUserRiskStaticScoreNorm, "registry.data.bytes", RegistryDataBytes, "registry.data.type", RegistryDataType, "registry.hive", RegistryHive, @@ -3640,6 +7782,34 @@ public static class LogTemplateProperties "server.registered_domain", ServerRegisteredDomain, "server.subdomain", ServerSubdomain, "server.top_level_domain", ServerTopLevelDomain, + "server.as.number", ServerAsNumber, + "server.as.organization.name", ServerAsOrganizationName, + "server.geo.city_name", ServerGeoCityName, + "server.geo.continent_code", ServerGeoContinentCode, + "server.geo.continent_name", ServerGeoContinentName, + "server.geo.country_iso_code", ServerGeoCountryIsoCode, + "server.geo.country_name", ServerGeoCountryName, + "server.geo.location", ServerGeoLocation, + "server.geo.name", ServerGeoName, + "server.geo.postal_code", ServerGeoPostalCode, + "server.geo.region_iso_code", ServerGeoRegionIsoCode, + "server.geo.region_name", ServerGeoRegionName, + "server.geo.timezone", ServerGeoTimezone, + "server.user.domain", ServerUserDomain, + "server.user.email", ServerUserEmail, + "server.user.full_name", ServerUserFullName, + "server.user.hash", ServerUserHash, + "server.user.id", ServerUserId, + "server.user.name", ServerUserName, + "server.user.group.domain", ServerUserGroupDomain, + "server.user.group.id", ServerUserGroupId, + "server.user.group.name", ServerUserGroupName, + "server.user.risk.calculated_level", ServerUserRiskCalculatedLevel, + "server.user.risk.calculated_score", ServerUserRiskCalculatedScore, + "server.user.risk.calculated_score_norm", ServerUserRiskCalculatedScoreNorm, + "server.user.risk.static_level", ServerUserRiskStaticLevel, + "server.user.risk.static_score", ServerUserRiskStaticScore, + "server.user.risk.static_score_norm", ServerUserRiskStaticScoreNorm, "service.address", ServiceAddress, "service.environment", ServiceEnvironment, "service.ephemeral_id", ServiceEphemeralId, @@ -3662,6 +7832,34 @@ public static class LogTemplateProperties "source.registered_domain", SourceRegisteredDomain, "source.subdomain", SourceSubdomain, "source.top_level_domain", SourceTopLevelDomain, + "source.as.number", SourceAsNumber, + "source.as.organization.name", SourceAsOrganizationName, + "source.geo.city_name", SourceGeoCityName, + "source.geo.continent_code", SourceGeoContinentCode, + "source.geo.continent_name", SourceGeoContinentName, + "source.geo.country_iso_code", SourceGeoCountryIsoCode, + "source.geo.country_name", SourceGeoCountryName, + "source.geo.location", SourceGeoLocation, + "source.geo.name", SourceGeoName, + "source.geo.postal_code", SourceGeoPostalCode, + "source.geo.region_iso_code", SourceGeoRegionIsoCode, + "source.geo.region_name", SourceGeoRegionName, + "source.geo.timezone", SourceGeoTimezone, + "source.user.domain", SourceUserDomain, + "source.user.email", SourceUserEmail, + "source.user.full_name", SourceUserFullName, + "source.user.hash", SourceUserHash, + "source.user.id", SourceUserId, + "source.user.name", SourceUserName, + "source.user.group.domain", SourceUserGroupDomain, + "source.user.group.id", SourceUserGroupId, + "source.user.group.name", SourceUserGroupName, + "source.user.risk.calculated_level", SourceUserRiskCalculatedLevel, + "source.user.risk.calculated_score", SourceUserRiskCalculatedScore, + "source.user.risk.calculated_score_norm", SourceUserRiskCalculatedScoreNorm, + "source.user.risk.static_level", SourceUserRiskStaticLevel, + "source.user.risk.static_score", SourceUserRiskStaticScore, + "source.user.risk.static_score_norm", SourceUserRiskStaticScoreNorm, "threat.feed.dashboard_id", ThreatFeedDashboardId, "threat.feed.description", ThreatFeedDescription, "threat.feed.name", ThreatFeedName, @@ -3690,6 +7888,144 @@ public static class LogTemplateProperties "threat.software.name", ThreatSoftwareName, "threat.software.reference", ThreatSoftwareReference, "threat.software.type", ThreatSoftwareType, + "threat.indicator.x509.issuer.distinguished_name", ThreatIndicatorX509IssuerDistinguishedName, + "threat.indicator.x509.not_after", ThreatIndicatorX509NotAfter, + "threat.indicator.x509.not_before", ThreatIndicatorX509NotBefore, + "threat.indicator.x509.public_key_algorithm", ThreatIndicatorX509PublicKeyAlgorithm, + "threat.indicator.x509.public_key_curve", ThreatIndicatorX509PublicKeyCurve, + "threat.indicator.x509.public_key_exponent", ThreatIndicatorX509PublicKeyExponent, + "threat.indicator.x509.public_key_size", ThreatIndicatorX509PublicKeySize, + "threat.indicator.x509.serial_number", ThreatIndicatorX509SerialNumber, + "threat.indicator.x509.signature_algorithm", ThreatIndicatorX509SignatureAlgorithm, + "threat.indicator.x509.subject.distinguished_name", ThreatIndicatorX509SubjectDistinguishedName, + "threat.indicator.x509.version_number", ThreatIndicatorX509VersionNumber, + "threat.indicator.as.number", ThreatIndicatorAsNumber, + "threat.indicator.as.organization.name", ThreatIndicatorAsOrganizationName, + "threat.indicator.file.accessed", ThreatIndicatorFileAccessed, + "threat.indicator.file.created", ThreatIndicatorFileCreated, + "threat.indicator.file.ctime", ThreatIndicatorFileCtime, + "threat.indicator.file.device", ThreatIndicatorFileDevice, + "threat.indicator.file.directory", ThreatIndicatorFileDirectory, + "threat.indicator.file.drive_letter", ThreatIndicatorFileDriveLetter, + "threat.indicator.file.extension", ThreatIndicatorFileExtension, + "threat.indicator.file.fork_name", ThreatIndicatorFileForkName, + "threat.indicator.file.gid", ThreatIndicatorFileGid, + "threat.indicator.file.group", ThreatIndicatorFileGroup, + "threat.indicator.file.inode", ThreatIndicatorFileInode, + "threat.indicator.file.mime_type", ThreatIndicatorFileMimeType, + "threat.indicator.file.mode", ThreatIndicatorFileMode, + "threat.indicator.file.mtime", ThreatIndicatorFileMtime, + "threat.indicator.file.name", ThreatIndicatorFileName, + "threat.indicator.file.owner", ThreatIndicatorFileOwner, + "threat.indicator.file.path", ThreatIndicatorFilePath, + "threat.indicator.file.size", ThreatIndicatorFileSize, + "threat.indicator.file.target_path", ThreatIndicatorFileTargetPath, + "threat.indicator.file.type", ThreatIndicatorFileType, + "threat.indicator.file.uid", ThreatIndicatorFileUid, + "threat.indicator.file.hash.md5", ThreatIndicatorFileHashMd5, + "threat.indicator.file.hash.sha1", ThreatIndicatorFileHashSha1, + "threat.indicator.file.hash.sha256", ThreatIndicatorFileHashSha256, + "threat.indicator.file.hash.sha384", ThreatIndicatorFileHashSha384, + "threat.indicator.file.hash.sha512", ThreatIndicatorFileHashSha512, + "threat.indicator.file.hash.ssdeep", ThreatIndicatorFileHashSsdeep, + "threat.indicator.file.hash.tlsh", ThreatIndicatorFileHashTlsh, + "threat.indicator.file.pe.architecture", ThreatIndicatorFilePeArchitecture, + "threat.indicator.file.pe.company", ThreatIndicatorFilePeCompany, + "threat.indicator.file.pe.description", ThreatIndicatorFilePeDescription, + "threat.indicator.file.pe.file_version", ThreatIndicatorFilePeFileVersion, + "threat.indicator.file.pe.go_import_hash", ThreatIndicatorFilePeGoImportHash, + "threat.indicator.file.pe.go_imports", ThreatIndicatorFilePeGoImports, + "threat.indicator.file.pe.go_imports_names_entropy", ThreatIndicatorFilePeGoImportsNamesEntropy, + "threat.indicator.file.pe.go_imports_names_var_entropy", ThreatIndicatorFilePeGoImportsNamesVarEntropy, + "threat.indicator.file.pe.go_stripped", ThreatIndicatorFilePeGoStripped, + "threat.indicator.file.pe.imphash", ThreatIndicatorFilePeImphash, + "threat.indicator.file.pe.import_hash", ThreatIndicatorFilePeImportHash, + "threat.indicator.file.pe.imports_names_entropy", ThreatIndicatorFilePeImportsNamesEntropy, + "threat.indicator.file.pe.imports_names_var_entropy", ThreatIndicatorFilePeImportsNamesVarEntropy, + "threat.indicator.file.pe.original_file_name", ThreatIndicatorFilePeOriginalFileName, + "threat.indicator.file.pe.pehash", ThreatIndicatorFilePePehash, + "threat.indicator.file.pe.product", ThreatIndicatorFilePeProduct, + "threat.indicator.file.x509.issuer.distinguished_name", ThreatIndicatorFileX509IssuerDistinguishedName, + "threat.indicator.file.x509.not_after", ThreatIndicatorFileX509NotAfter, + "threat.indicator.file.x509.not_before", ThreatIndicatorFileX509NotBefore, + "threat.indicator.file.x509.public_key_algorithm", ThreatIndicatorFileX509PublicKeyAlgorithm, + "threat.indicator.file.x509.public_key_curve", ThreatIndicatorFileX509PublicKeyCurve, + "threat.indicator.file.x509.public_key_exponent", ThreatIndicatorFileX509PublicKeyExponent, + "threat.indicator.file.x509.public_key_size", ThreatIndicatorFileX509PublicKeySize, + "threat.indicator.file.x509.serial_number", ThreatIndicatorFileX509SerialNumber, + "threat.indicator.file.x509.signature_algorithm", ThreatIndicatorFileX509SignatureAlgorithm, + "threat.indicator.file.x509.subject.distinguished_name", ThreatIndicatorFileX509SubjectDistinguishedName, + "threat.indicator.file.x509.version_number", ThreatIndicatorFileX509VersionNumber, + "threat.indicator.file.code_signature.digest_algorithm", ThreatIndicatorFileCodeSignatureDigestAlgorithm, + "threat.indicator.file.code_signature.exists", ThreatIndicatorFileCodeSignatureExists, + "threat.indicator.file.code_signature.signing_id", ThreatIndicatorFileCodeSignatureSigningId, + "threat.indicator.file.code_signature.status", ThreatIndicatorFileCodeSignatureStatus, + "threat.indicator.file.code_signature.subject_name", ThreatIndicatorFileCodeSignatureSubjectName, + "threat.indicator.file.code_signature.team_id", ThreatIndicatorFileCodeSignatureTeamId, + "threat.indicator.file.code_signature.timestamp", ThreatIndicatorFileCodeSignatureTimestamp, + "threat.indicator.file.code_signature.trusted", ThreatIndicatorFileCodeSignatureTrusted, + "threat.indicator.file.code_signature.valid", ThreatIndicatorFileCodeSignatureValid, + "threat.indicator.file.elf.architecture", ThreatIndicatorFileElfArchitecture, + "threat.indicator.file.elf.byte_order", ThreatIndicatorFileElfByteOrder, + "threat.indicator.file.elf.cpu_type", ThreatIndicatorFileElfCpuType, + "threat.indicator.file.elf.creation_date", ThreatIndicatorFileElfCreationDate, + "threat.indicator.file.elf.go_import_hash", ThreatIndicatorFileElfGoImportHash, + "threat.indicator.file.elf.go_imports", ThreatIndicatorFileElfGoImports, + "threat.indicator.file.elf.go_imports_names_entropy", ThreatIndicatorFileElfGoImportsNamesEntropy, + "threat.indicator.file.elf.go_imports_names_var_entropy", ThreatIndicatorFileElfGoImportsNamesVarEntropy, + "threat.indicator.file.elf.go_stripped", ThreatIndicatorFileElfGoStripped, + "threat.indicator.file.elf.header.abi_version", ThreatIndicatorFileElfHeaderAbiVersion, + "threat.indicator.file.elf.header.class", ThreatIndicatorFileElfHeaderClass, + "threat.indicator.file.elf.header.data", ThreatIndicatorFileElfHeaderData, + "threat.indicator.file.elf.header.entrypoint", ThreatIndicatorFileElfHeaderEntrypoint, + "threat.indicator.file.elf.header.object_version", ThreatIndicatorFileElfHeaderObjectVersion, + "threat.indicator.file.elf.header.os_abi", ThreatIndicatorFileElfHeaderOsAbi, + "threat.indicator.file.elf.header.type", ThreatIndicatorFileElfHeaderType, + "threat.indicator.file.elf.header.version", ThreatIndicatorFileElfHeaderVersion, + "threat.indicator.file.elf.import_hash", ThreatIndicatorFileElfImportHash, + "threat.indicator.file.elf.imports_names_entropy", ThreatIndicatorFileElfImportsNamesEntropy, + "threat.indicator.file.elf.imports_names_var_entropy", ThreatIndicatorFileElfImportsNamesVarEntropy, + "threat.indicator.file.elf.telfhash", ThreatIndicatorFileElfTelfhash, + "threat.indicator.file.macho.go_import_hash", ThreatIndicatorFileMachoGoImportHash, + "threat.indicator.file.macho.go_imports", ThreatIndicatorFileMachoGoImports, + "threat.indicator.file.macho.go_imports_names_entropy", ThreatIndicatorFileMachoGoImportsNamesEntropy, + "threat.indicator.file.macho.go_imports_names_var_entropy", ThreatIndicatorFileMachoGoImportsNamesVarEntropy, + "threat.indicator.file.macho.go_stripped", ThreatIndicatorFileMachoGoStripped, + "threat.indicator.file.macho.import_hash", ThreatIndicatorFileMachoImportHash, + "threat.indicator.file.macho.imports_names_entropy", ThreatIndicatorFileMachoImportsNamesEntropy, + "threat.indicator.file.macho.imports_names_var_entropy", ThreatIndicatorFileMachoImportsNamesVarEntropy, + "threat.indicator.file.macho.symhash", ThreatIndicatorFileMachoSymhash, + "threat.indicator.geo.city_name", ThreatIndicatorGeoCityName, + "threat.indicator.geo.continent_code", ThreatIndicatorGeoContinentCode, + "threat.indicator.geo.continent_name", ThreatIndicatorGeoContinentName, + "threat.indicator.geo.country_iso_code", ThreatIndicatorGeoCountryIsoCode, + "threat.indicator.geo.country_name", ThreatIndicatorGeoCountryName, + "threat.indicator.geo.location", ThreatIndicatorGeoLocation, + "threat.indicator.geo.name", ThreatIndicatorGeoName, + "threat.indicator.geo.postal_code", ThreatIndicatorGeoPostalCode, + "threat.indicator.geo.region_iso_code", ThreatIndicatorGeoRegionIsoCode, + "threat.indicator.geo.region_name", ThreatIndicatorGeoRegionName, + "threat.indicator.geo.timezone", ThreatIndicatorGeoTimezone, + "threat.indicator.registry.data.bytes", ThreatIndicatorRegistryDataBytes, + "threat.indicator.registry.data.type", ThreatIndicatorRegistryDataType, + "threat.indicator.registry.hive", ThreatIndicatorRegistryHive, + "threat.indicator.registry.key", ThreatIndicatorRegistryKey, + "threat.indicator.registry.path", ThreatIndicatorRegistryPath, + "threat.indicator.registry.value", ThreatIndicatorRegistryValue, + "threat.indicator.url.domain", ThreatIndicatorUrlDomain, + "threat.indicator.url.extension", ThreatIndicatorUrlExtension, + "threat.indicator.url.fragment", ThreatIndicatorUrlFragment, + "threat.indicator.url.full", ThreatIndicatorUrlFull, + "threat.indicator.url.original", ThreatIndicatorUrlOriginal, + "threat.indicator.url.password", ThreatIndicatorUrlPassword, + "threat.indicator.url.path", ThreatIndicatorUrlPath, + "threat.indicator.url.port", ThreatIndicatorUrlPort, + "threat.indicator.url.query", ThreatIndicatorUrlQuery, + "threat.indicator.url.registered_domain", ThreatIndicatorUrlRegisteredDomain, + "threat.indicator.url.scheme", ThreatIndicatorUrlScheme, + "threat.indicator.url.subdomain", ThreatIndicatorUrlSubdomain, + "threat.indicator.url.top_level_domain", ThreatIndicatorUrlTopLevelDomain, + "threat.indicator.url.username", ThreatIndicatorUrlUsername, "tls.cipher", TlsCipher, "tls.client.certificate", TlsClientCertificate, "tls.client.hash.md5", TlsClientHashMd5, @@ -3716,6 +8052,17 @@ public static class LogTemplateProperties "tls.server.subject", TlsServerSubject, "tls.version", TlsVersion, "tls.version_protocol", TlsVersionProtocol, + "tls.client.x509.issuer.distinguished_name", TlsClientX509IssuerDistinguishedName, + "tls.client.x509.not_after", TlsClientX509NotAfter, + "tls.client.x509.not_before", TlsClientX509NotBefore, + "tls.client.x509.public_key_algorithm", TlsClientX509PublicKeyAlgorithm, + "tls.client.x509.public_key_curve", TlsClientX509PublicKeyCurve, + "tls.client.x509.public_key_exponent", TlsClientX509PublicKeyExponent, + "tls.client.x509.public_key_size", TlsClientX509PublicKeySize, + "tls.client.x509.serial_number", TlsClientX509SerialNumber, + "tls.client.x509.signature_algorithm", TlsClientX509SignatureAlgorithm, + "tls.client.x509.subject.distinguished_name", TlsClientX509SubjectDistinguishedName, + "tls.client.x509.version_number", TlsClientX509VersionNumber, "url.domain", UrlDomain, "url.extension", UrlExtension, "url.fragment", UrlFragment, @@ -3736,10 +8083,26 @@ public static class LogTemplateProperties "user.hash", UserHash, "user.id", UserId, "user.name", UserName, + "user.group.domain", UserGroupDomain, + "user.group.id", UserGroupId, + "user.group.name", UserGroupName, + "user.risk.calculated_level", UserRiskCalculatedLevel, + "user.risk.calculated_score", UserRiskCalculatedScore, + "user.risk.calculated_score_norm", UserRiskCalculatedScoreNorm, + "user.risk.static_level", UserRiskStaticLevel, + "user.risk.static_score", UserRiskStaticScore, + "user.risk.static_score_norm", UserRiskStaticScoreNorm, "user_agent.device.name", UserAgentDeviceName, "user_agent.name", UserAgentName, "user_agent.original", UserAgentOriginal, "user_agent.version", UserAgentVersion, + "user_agent.os.family", UserAgentOsFamily, + "user_agent.os.full", UserAgentOsFull, + "user_agent.os.kernel", UserAgentOsKernel, + "user_agent.os.name", UserAgentOsName, + "user_agent.os.platform", UserAgentOsPlatform, + "user_agent.os.type", UserAgentOsType, + "user_agent.os.version", UserAgentOsVersion, "vlan.id", VlanId, "vlan.name", VlanName, "vulnerability.classification", VulnerabilityClassification, diff --git a/src/Elastic.CommonSchema/PropDispatch.Generated.cs b/src/Elastic.CommonSchema/PropDispatch.Generated.cs index c3cbc6a4..76239362 100644 --- a/src/Elastic.CommonSchema/PropDispatch.Generated.cs +++ b/src/Elastic.CommonSchema/PropDispatch.Generated.cs @@ -709,6 +709,62 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ClientSubdomain": case "client.top_level_domain": case "ClientTopLevelDomain": + case "client.as.number": + case "ClientAsNumber": + case "client.as.organization.name": + case "ClientAsOrganizationName": + case "client.geo.city_name": + case "ClientGeoCityName": + case "client.geo.continent_code": + case "ClientGeoContinentCode": + case "client.geo.continent_name": + case "ClientGeoContinentName": + case "client.geo.country_iso_code": + case "ClientGeoCountryIsoCode": + case "client.geo.country_name": + case "ClientGeoCountryName": + case "client.geo.location": + case "ClientGeoLocation": + case "client.geo.name": + case "ClientGeoName": + case "client.geo.postal_code": + case "ClientGeoPostalCode": + case "client.geo.region_iso_code": + case "ClientGeoRegionIsoCode": + case "client.geo.region_name": + case "ClientGeoRegionName": + case "client.geo.timezone": + case "ClientGeoTimezone": + case "client.user.domain": + case "ClientUserDomain": + case "client.user.email": + case "ClientUserEmail": + case "client.user.full_name": + case "ClientUserFullName": + case "client.user.hash": + case "ClientUserHash": + case "client.user.id": + case "ClientUserId": + case "client.user.name": + case "ClientUserName": + case "client.user.group.domain": + case "ClientUserGroupDomain": + case "client.user.group.id": + case "ClientUserGroupId": + case "client.user.group.name": + case "ClientUserGroupName": + case "client.user.risk.calculated_level": + case "ClientUserRiskCalculatedLevel": + case "client.user.risk.calculated_score": + case "ClientUserRiskCalculatedScore": + case "client.user.risk.calculated_score_norm": + case "ClientUserRiskCalculatedScoreNorm": + case "client.user.risk.static_level": + case "ClientUserRiskStaticLevel": + case "client.user.risk.static_score": + case "ClientUserRiskStaticScore": + case "client.user.risk.static_score_norm": + case "ClientUserRiskStaticScoreNorm": return TrySetClient(document, path, value); case "cloud.account.id": case "CloudAccountId": @@ -806,6 +862,62 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "DestinationSubdomain": case "destination.top_level_domain": case "DestinationTopLevelDomain": + case "destination.as.number": + case "DestinationAsNumber": + case "destination.as.organization.name": + case "DestinationAsOrganizationName": + case "destination.geo.city_name": + case "DestinationGeoCityName": + case "destination.geo.continent_code": + case "DestinationGeoContinentCode": + case "destination.geo.continent_name": + case "DestinationGeoContinentName": + case "destination.geo.country_iso_code": + case "DestinationGeoCountryIsoCode": + case "destination.geo.country_name": + case "DestinationGeoCountryName": + case "destination.geo.location": + case "DestinationGeoLocation": + case "destination.geo.name": + case "DestinationGeoName": + case "destination.geo.postal_code": + case "DestinationGeoPostalCode": + case "destination.geo.region_iso_code": + case "DestinationGeoRegionIsoCode": + case "destination.geo.region_name": + case "DestinationGeoRegionName": + case "destination.geo.timezone": + case "DestinationGeoTimezone": + case "destination.user.domain": + case "DestinationUserDomain": + case "destination.user.email": + case "DestinationUserEmail": + case "destination.user.full_name": + case "DestinationUserFullName": + case "destination.user.hash": + case "DestinationUserHash": + case "destination.user.id": + case "DestinationUserId": + case "destination.user.name": + case "DestinationUserName": + case "destination.user.group.domain": + case "DestinationUserGroupDomain": + case "destination.user.group.id": + case "DestinationUserGroupId": + case "destination.user.group.name": + case "DestinationUserGroupName": + case "destination.user.risk.calculated_level": + case "DestinationUserRiskCalculatedLevel": + case "destination.user.risk.calculated_score": + case "DestinationUserRiskCalculatedScore": + case "destination.user.risk.calculated_score_norm": + case "DestinationUserRiskCalculatedScoreNorm": + case "destination.user.risk.static_level": + case "DestinationUserRiskStaticLevel": + case "destination.user.risk.static_score": + case "DestinationUserRiskStaticScore": + case "destination.user.risk.static_score_norm": + case "DestinationUserRiskStaticScoreNorm": return TrySetDestination(document, path, value); case "device.id": case "DeviceId": @@ -820,6 +932,70 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "DllName": case "dll.path": case "DllPath": + case "dll.hash.md5": + case "DllHashMd5": + case "dll.hash.sha1": + case "DllHashSha1": + case "dll.hash.sha256": + case "DllHashSha256": + case "dll.hash.sha384": + case "DllHashSha384": + case "dll.hash.sha512": + case "DllHashSha512": + case "dll.hash.ssdeep": + case "DllHashSsdeep": + case "dll.hash.tlsh": + case "DllHashTlsh": + case "dll.pe.architecture": + case "DllPeArchitecture": + case "dll.pe.company": + case "DllPeCompany": + case "dll.pe.description": + case "DllPeDescription": + case "dll.pe.file_version": + case "DllPeFileVersion": + case "dll.pe.go_import_hash": + case "DllPeGoImportHash": + case "dll.pe.go_imports": + case "DllPeGoImports": + case "dll.pe.go_imports_names_entropy": + case "DllPeGoImportsNamesEntropy": + case "dll.pe.go_imports_names_var_entropy": + case "DllPeGoImportsNamesVarEntropy": + case "dll.pe.go_stripped": + case "DllPeGoStripped": + case "dll.pe.imphash": + case "DllPeImphash": + case "dll.pe.import_hash": + case "DllPeImportHash": + case "dll.pe.imports_names_entropy": + case "DllPeImportsNamesEntropy": + case "dll.pe.imports_names_var_entropy": + case "DllPeImportsNamesVarEntropy": + case "dll.pe.original_file_name": + case "DllPeOriginalFileName": + case "dll.pe.pehash": + case "DllPePehash": + case "dll.pe.product": + case "DllPeProduct": + case "dll.code_signature.digest_algorithm": + case "DllCodeSignatureDigestAlgorithm": + case "dll.code_signature.exists": + case "DllCodeSignatureExists": + case "dll.code_signature.signing_id": + case "DllCodeSignatureSigningId": + case "dll.code_signature.status": + case "DllCodeSignatureStatus": + case "dll.code_signature.subject_name": + case "DllCodeSignatureSubjectName": + case "dll.code_signature.team_id": + case "DllCodeSignatureTeamId": + case "dll.code_signature.timestamp": + case "DllCodeSignatureTimestamp": + case "dll.code_signature.trusted": + case "DllCodeSignatureTrusted": + case "dll.code_signature.valid": + case "DllCodeSignatureValid": return TrySetDll(document, path, value); case "dns.id": case "DnsId": @@ -1024,6 +1200,152 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "FileType": case "file.uid": case "FileUid": + case "file.hash.md5": + case "FileHashMd5": + case "file.hash.sha1": + case "FileHashSha1": + case "file.hash.sha256": + case "FileHashSha256": + case "file.hash.sha384": + case "FileHashSha384": + case "file.hash.sha512": + case "FileHashSha512": + case "file.hash.ssdeep": + case "FileHashSsdeep": + case "file.hash.tlsh": + case "FileHashTlsh": + case "file.pe.architecture": + case "FilePeArchitecture": + case "file.pe.company": + case "FilePeCompany": + case "file.pe.description": + case "FilePeDescription": + case "file.pe.file_version": + case "FilePeFileVersion": + case "file.pe.go_import_hash": + case "FilePeGoImportHash": + case "file.pe.go_imports": + case "FilePeGoImports": + case "file.pe.go_imports_names_entropy": + case "FilePeGoImportsNamesEntropy": + case "file.pe.go_imports_names_var_entropy": + case "FilePeGoImportsNamesVarEntropy": + case "file.pe.go_stripped": + case "FilePeGoStripped": + case "file.pe.imphash": + case "FilePeImphash": + case "file.pe.import_hash": + case "FilePeImportHash": + case "file.pe.imports_names_entropy": + case "FilePeImportsNamesEntropy": + case "file.pe.imports_names_var_entropy": + case "FilePeImportsNamesVarEntropy": + case "file.pe.original_file_name": + case "FilePeOriginalFileName": + case "file.pe.pehash": + case "FilePePehash": + case "file.pe.product": + case "FilePeProduct": + case "file.x509.issuer.distinguished_name": + case "FileX509IssuerDistinguishedName": + case "file.x509.not_after": + case "FileX509NotAfter": + case "file.x509.not_before": + case "FileX509NotBefore": + case "file.x509.public_key_algorithm": + case "FileX509PublicKeyAlgorithm": + case "file.x509.public_key_curve": + case "FileX509PublicKeyCurve": + case "file.x509.public_key_exponent": + case "FileX509PublicKeyExponent": + case "file.x509.public_key_size": + case "FileX509PublicKeySize": + case "file.x509.serial_number": + case "FileX509SerialNumber": + case "file.x509.signature_algorithm": + case "FileX509SignatureAlgorithm": + case "file.x509.subject.distinguished_name": + case "FileX509SubjectDistinguishedName": + case "file.x509.version_number": + case "FileX509VersionNumber": + case "file.code_signature.digest_algorithm": + case "FileCodeSignatureDigestAlgorithm": + case "file.code_signature.exists": + case "FileCodeSignatureExists": + case "file.code_signature.signing_id": + case "FileCodeSignatureSigningId": + case "file.code_signature.status": + case "FileCodeSignatureStatus": + case "file.code_signature.subject_name": + case "FileCodeSignatureSubjectName": + case "file.code_signature.team_id": + case "FileCodeSignatureTeamId": + case "file.code_signature.timestamp": + case "FileCodeSignatureTimestamp": + case "file.code_signature.trusted": + case "FileCodeSignatureTrusted": + case "file.code_signature.valid": + case "FileCodeSignatureValid": + case "file.elf.architecture": + case "FileElfArchitecture": + case "file.elf.byte_order": + case "FileElfByteOrder": + case "file.elf.cpu_type": + case "FileElfCpuType": + case "file.elf.creation_date": + case "FileElfCreationDate": + case "file.elf.go_import_hash": + case "FileElfGoImportHash": + case "file.elf.go_imports": + case "FileElfGoImports": + case "file.elf.go_imports_names_entropy": + case "FileElfGoImportsNamesEntropy": + case "file.elf.go_imports_names_var_entropy": + case "FileElfGoImportsNamesVarEntropy": + case "file.elf.go_stripped": + case "FileElfGoStripped": + case "file.elf.header.abi_version": + case "FileElfHeaderAbiVersion": + case "file.elf.header.class": + case "FileElfHeaderClass": + case "file.elf.header.data": + case "FileElfHeaderData": + case "file.elf.header.entrypoint": + case "FileElfHeaderEntrypoint": + case "file.elf.header.object_version": + case "FileElfHeaderObjectVersion": + case "file.elf.header.os_abi": + case "FileElfHeaderOsAbi": + case "file.elf.header.type": + case "FileElfHeaderType": + case "file.elf.header.version": + case "FileElfHeaderVersion": + case "file.elf.import_hash": + case "FileElfImportHash": + case "file.elf.imports_names_entropy": + case "FileElfImportsNamesEntropy": + case "file.elf.imports_names_var_entropy": + case "FileElfImportsNamesVarEntropy": + case "file.elf.telfhash": + case "FileElfTelfhash": + case "file.macho.go_import_hash": + case "FileMachoGoImportHash": + case "file.macho.go_imports": + case "FileMachoGoImports": + case "file.macho.go_imports_names_entropy": + case "FileMachoGoImportsNamesEntropy": + case "file.macho.go_imports_names_var_entropy": + case "FileMachoGoImportsNamesVarEntropy": + case "file.macho.go_stripped": + case "FileMachoGoStripped": + case "file.macho.import_hash": + case "FileMachoImportHash": + case "file.macho.imports_names_entropy": + case "FileMachoImportsNamesEntropy": + case "file.macho.imports_names_var_entropy": + case "FileMachoImportsNamesVarEntropy": + case "file.macho.symhash": + case "FileMachoSymhash": return TrySetFile(document, path, value); case "geo.city_name": case "GeoCityName": @@ -1035,6 +1357,8 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "GeoCountryIsoCode": case "geo.country_name": case "GeoCountryName": + case "geo.location": + case "GeoLocation": case "geo.name": case "GeoName": case "geo.postal_code": @@ -1100,6 +1424,54 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "HostType": case "host.uptime": case "HostUptime": + case "host.geo.city_name": + case "HostGeoCityName": + case "host.geo.continent_code": + case "HostGeoContinentCode": + case "host.geo.continent_name": + case "HostGeoContinentName": + case "host.geo.country_iso_code": + case "HostGeoCountryIsoCode": + case "host.geo.country_name": + case "HostGeoCountryName": + case "host.geo.location": + case "HostGeoLocation": + case "host.geo.name": + case "HostGeoName": + case "host.geo.postal_code": + case "HostGeoPostalCode": + case "host.geo.region_iso_code": + case "HostGeoRegionIsoCode": + case "host.geo.region_name": + case "HostGeoRegionName": + case "host.geo.timezone": + case "HostGeoTimezone": + case "host.os.family": + case "HostOsFamily": + case "host.os.full": + case "HostOsFull": + case "host.os.kernel": + case "HostOsKernel": + case "host.os.name": + case "HostOsName": + case "host.os.platform": + case "HostOsPlatform": + case "host.os.type": + case "HostOsType": + case "host.os.version": + case "HostOsVersion": + case "host.risk.calculated_level": + case "HostRiskCalculatedLevel": + case "host.risk.calculated_score": + case "HostRiskCalculatedScore": + case "host.risk.calculated_score_norm": + case "HostRiskCalculatedScoreNorm": + case "host.risk.static_level": + case "HostRiskStaticLevel": + case "host.risk.static_score": + case "HostRiskStaticScore": + case "host.risk.static_score_norm": + case "HostRiskStaticScoreNorm": return TrySetHost(document, path, value); case "http.request.body.bytes": case "HttpRequestBodyBytes": @@ -1189,6 +1561,10 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "NetworkTransport": case "network.type": case "NetworkType": + case "network.vlan.id": + case "NetworkVlanId": + case "network.vlan.name": + case "NetworkVlanName": return TrySetNetwork(document, path, value); case "observer.hostname": case "ObserverHostname": @@ -1204,6 +1580,42 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ObserverVendor": case "observer.version": case "ObserverVersion": + case "observer.geo.city_name": + case "ObserverGeoCityName": + case "observer.geo.continent_code": + case "ObserverGeoContinentCode": + case "observer.geo.continent_name": + case "ObserverGeoContinentName": + case "observer.geo.country_iso_code": + case "ObserverGeoCountryIsoCode": + case "observer.geo.country_name": + case "ObserverGeoCountryName": + case "observer.geo.location": + case "ObserverGeoLocation": + case "observer.geo.name": + case "ObserverGeoName": + case "observer.geo.postal_code": + case "ObserverGeoPostalCode": + case "observer.geo.region_iso_code": + case "ObserverGeoRegionIsoCode": + case "observer.geo.region_name": + case "ObserverGeoRegionName": + case "observer.geo.timezone": + case "ObserverGeoTimezone": + case "observer.os.family": + case "ObserverOsFamily": + case "observer.os.full": + case "ObserverOsFull": + case "observer.os.kernel": + case "ObserverOsKernel": + case "observer.os.name": + case "ObserverOsName": + case "observer.os.platform": + case "ObserverOsPlatform": + case "observer.os.type": + case "ObserverOsType": + case "observer.os.version": + case "ObserverOsVersion": return TrySetObserver(document, path, value); case "orchestrator.api_version": case "OrchestratorApiVersion": @@ -1344,6 +1756,348 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ProcessVpid": case "process.working_directory": case "ProcessWorkingDirectory": + case "process.group.domain": + case "ProcessGroupDomain": + case "process.group.id": + case "ProcessGroupId": + case "process.group.name": + case "ProcessGroupName": + case "process.real_group.domain": + case "ProcessRealGroupDomain": + case "process.real_group.id": + case "ProcessRealGroupId": + case "process.real_group.name": + case "ProcessRealGroupName": + case "process.saved_group.domain": + case "ProcessSavedGroupDomain": + case "process.saved_group.id": + case "ProcessSavedGroupId": + case "process.saved_group.name": + case "ProcessSavedGroupName": + case "process.hash.md5": + case "ProcessHashMd5": + case "process.hash.sha1": + case "ProcessHashSha1": + case "process.hash.sha256": + case "ProcessHashSha256": + case "process.hash.sha384": + case "ProcessHashSha384": + case "process.hash.sha512": + case "ProcessHashSha512": + case "process.hash.ssdeep": + case "ProcessHashSsdeep": + case "process.hash.tlsh": + case "ProcessHashTlsh": + case "process.pe.architecture": + case "ProcessPeArchitecture": + case "process.pe.company": + case "ProcessPeCompany": + case "process.pe.description": + case "ProcessPeDescription": + case "process.pe.file_version": + case "ProcessPeFileVersion": + case "process.pe.go_import_hash": + case "ProcessPeGoImportHash": + case "process.pe.go_imports": + case "ProcessPeGoImports": + case "process.pe.go_imports_names_entropy": + case "ProcessPeGoImportsNamesEntropy": + case "process.pe.go_imports_names_var_entropy": + case "ProcessPeGoImportsNamesVarEntropy": + case "process.pe.go_stripped": + case "ProcessPeGoStripped": + case "process.pe.imphash": + case "ProcessPeImphash": + case "process.pe.import_hash": + case "ProcessPeImportHash": + case "process.pe.imports_names_entropy": + case "ProcessPeImportsNamesEntropy": + case "process.pe.imports_names_var_entropy": + case "ProcessPeImportsNamesVarEntropy": + case "process.pe.original_file_name": + case "ProcessPeOriginalFileName": + case "process.pe.pehash": + case "ProcessPePehash": + case "process.pe.product": + case "ProcessPeProduct": + case "process.code_signature.digest_algorithm": + case "ProcessCodeSignatureDigestAlgorithm": + case "process.code_signature.exists": + case "ProcessCodeSignatureExists": + case "process.code_signature.signing_id": + case "ProcessCodeSignatureSigningId": + case "process.code_signature.status": + case "ProcessCodeSignatureStatus": + case "process.code_signature.subject_name": + case "ProcessCodeSignatureSubjectName": + case "process.code_signature.team_id": + case "ProcessCodeSignatureTeamId": + case "process.code_signature.timestamp": + case "ProcessCodeSignatureTimestamp": + case "process.code_signature.trusted": + case "ProcessCodeSignatureTrusted": + case "process.code_signature.valid": + case "ProcessCodeSignatureValid": + case "process.elf.architecture": + case "ProcessElfArchitecture": + case "process.elf.byte_order": + case "ProcessElfByteOrder": + case "process.elf.cpu_type": + case "ProcessElfCpuType": + case "process.elf.creation_date": + case "ProcessElfCreationDate": + case "process.elf.go_import_hash": + case "ProcessElfGoImportHash": + case "process.elf.go_imports": + case "ProcessElfGoImports": + case "process.elf.go_imports_names_entropy": + case "ProcessElfGoImportsNamesEntropy": + case "process.elf.go_imports_names_var_entropy": + case "ProcessElfGoImportsNamesVarEntropy": + case "process.elf.go_stripped": + case "ProcessElfGoStripped": + case "process.elf.header.abi_version": + case "ProcessElfHeaderAbiVersion": + case "process.elf.header.class": + case "ProcessElfHeaderClass": + case "process.elf.header.data": + case "ProcessElfHeaderData": + case "process.elf.header.entrypoint": + case "ProcessElfHeaderEntrypoint": + case "process.elf.header.object_version": + case "ProcessElfHeaderObjectVersion": + case "process.elf.header.os_abi": + case "ProcessElfHeaderOsAbi": + case "process.elf.header.type": + case "ProcessElfHeaderType": + case "process.elf.header.version": + case "ProcessElfHeaderVersion": + case "process.elf.import_hash": + case "ProcessElfImportHash": + case "process.elf.imports_names_entropy": + case "ProcessElfImportsNamesEntropy": + case "process.elf.imports_names_var_entropy": + case "ProcessElfImportsNamesVarEntropy": + case "process.elf.telfhash": + case "ProcessElfTelfhash": + case "process.macho.go_import_hash": + case "ProcessMachoGoImportHash": + case "process.macho.go_imports": + case "ProcessMachoGoImports": + case "process.macho.go_imports_names_entropy": + case "ProcessMachoGoImportsNamesEntropy": + case "process.macho.go_imports_names_var_entropy": + case "ProcessMachoGoImportsNamesVarEntropy": + case "process.macho.go_stripped": + case "ProcessMachoGoStripped": + case "process.macho.import_hash": + case "ProcessMachoImportHash": + case "process.macho.imports_names_entropy": + case "ProcessMachoImportsNamesEntropy": + case "process.macho.imports_names_var_entropy": + case "ProcessMachoImportsNamesVarEntropy": + case "process.macho.symhash": + case "ProcessMachoSymhash": + case "process.entry_meta.source.address": + case "ProcessEntryMetaSourceAddress": + case "process.entry_meta.source.bytes": + case "ProcessEntryMetaSourceBytes": + case "process.entry_meta.source.domain": + case "ProcessEntryMetaSourceDomain": + case "process.entry_meta.source.ip": + case "ProcessEntryMetaSourceIp": + case "process.entry_meta.source.mac": + case "ProcessEntryMetaSourceMac": + case "process.entry_meta.source.nat.ip": + case "ProcessEntryMetaSourceNatIp": + case "process.entry_meta.source.nat.port": + case "ProcessEntryMetaSourceNatPort": + case "process.entry_meta.source.packets": + case "ProcessEntryMetaSourcePackets": + case "process.entry_meta.source.port": + case "ProcessEntryMetaSourcePort": + case "process.entry_meta.source.registered_domain": + case "ProcessEntryMetaSourceRegisteredDomain": + case "process.entry_meta.source.subdomain": + case "ProcessEntryMetaSourceSubdomain": + case "process.entry_meta.source.top_level_domain": + case "ProcessEntryMetaSourceTopLevelDomain": + case "process.entry_meta.source.as.number": + case "ProcessEntryMetaSourceAsNumber": + case "process.entry_meta.source.as.organization.name": + case "ProcessEntryMetaSourceAsOrganizationName": + case "process.entry_meta.source.geo.city_name": + case "ProcessEntryMetaSourceGeoCityName": + case "process.entry_meta.source.geo.continent_code": + case "ProcessEntryMetaSourceGeoContinentCode": + case "process.entry_meta.source.geo.continent_name": + case "ProcessEntryMetaSourceGeoContinentName": + case "process.entry_meta.source.geo.country_iso_code": + case "ProcessEntryMetaSourceGeoCountryIsoCode": + case "process.entry_meta.source.geo.country_name": + case "ProcessEntryMetaSourceGeoCountryName": + case "process.entry_meta.source.geo.location": + case "ProcessEntryMetaSourceGeoLocation": + case "process.entry_meta.source.geo.name": + case "ProcessEntryMetaSourceGeoName": + case "process.entry_meta.source.geo.postal_code": + case "ProcessEntryMetaSourceGeoPostalCode": + case "process.entry_meta.source.geo.region_iso_code": + case "ProcessEntryMetaSourceGeoRegionIsoCode": + case "process.entry_meta.source.geo.region_name": + case "ProcessEntryMetaSourceGeoRegionName": + case "process.entry_meta.source.geo.timezone": + case "ProcessEntryMetaSourceGeoTimezone": + case "process.entry_meta.source.user.domain": + case "ProcessEntryMetaSourceUserDomain": + case "process.entry_meta.source.user.email": + case "ProcessEntryMetaSourceUserEmail": + case "process.entry_meta.source.user.full_name": + case "ProcessEntryMetaSourceUserFullName": + case "process.entry_meta.source.user.hash": + case "ProcessEntryMetaSourceUserHash": + case "process.entry_meta.source.user.id": + case "ProcessEntryMetaSourceUserId": + case "process.entry_meta.source.user.name": + case "ProcessEntryMetaSourceUserName": + case "process.entry_meta.source.user.group.domain": + case "ProcessEntryMetaSourceUserGroupDomain": + case "process.entry_meta.source.user.group.id": + case "ProcessEntryMetaSourceUserGroupId": + case "process.entry_meta.source.user.group.name": + case "ProcessEntryMetaSourceUserGroupName": + case "process.entry_meta.source.user.risk.calculated_level": + case "ProcessEntryMetaSourceUserRiskCalculatedLevel": + case "process.entry_meta.source.user.risk.calculated_score": + case "ProcessEntryMetaSourceUserRiskCalculatedScore": + case "process.entry_meta.source.user.risk.calculated_score_norm": + case "ProcessEntryMetaSourceUserRiskCalculatedScoreNorm": + case "process.entry_meta.source.user.risk.static_level": + case "ProcessEntryMetaSourceUserRiskStaticLevel": + case "process.entry_meta.source.user.risk.static_score": + case "ProcessEntryMetaSourceUserRiskStaticScore": + case "process.entry_meta.source.user.risk.static_score_norm": + case "ProcessEntryMetaSourceUserRiskStaticScoreNorm": + case "process.user.domain": + case "ProcessUserDomain": + case "process.user.email": + case "ProcessUserEmail": + case "process.user.full_name": + case "ProcessUserFullName": + case "process.user.hash": + case "ProcessUserHash": + case "process.user.id": + case "ProcessUserId": + case "process.user.name": + case "ProcessUserName": + case "process.user.group.domain": + case "ProcessUserGroupDomain": + case "process.user.group.id": + case "ProcessUserGroupId": + case "process.user.group.name": + case "ProcessUserGroupName": + case "process.user.risk.calculated_level": + case "ProcessUserRiskCalculatedLevel": + case "process.user.risk.calculated_score": + case "ProcessUserRiskCalculatedScore": + case "process.user.risk.calculated_score_norm": + case "ProcessUserRiskCalculatedScoreNorm": + case "process.user.risk.static_level": + case "ProcessUserRiskStaticLevel": + case "process.user.risk.static_score": + case "ProcessUserRiskStaticScore": + case "process.user.risk.static_score_norm": + case "ProcessUserRiskStaticScoreNorm": + case "process.saved_user.domain": + case "ProcessSavedUserDomain": + case "process.saved_user.email": + case "ProcessSavedUserEmail": + case "process.saved_user.full_name": + case "ProcessSavedUserFullName": + case "process.saved_user.hash": + case "ProcessSavedUserHash": + case "process.saved_user.id": + case "ProcessSavedUserId": + case "process.saved_user.name": + case "ProcessSavedUserName": + case "process.saved_user.group.domain": + case "ProcessSavedUserGroupDomain": + case "process.saved_user.group.id": + case "ProcessSavedUserGroupId": + case "process.saved_user.group.name": + case "ProcessSavedUserGroupName": + case "process.saved_user.risk.calculated_level": + case "ProcessSavedUserRiskCalculatedLevel": + case "process.saved_user.risk.calculated_score": + case "ProcessSavedUserRiskCalculatedScore": + case "process.saved_user.risk.calculated_score_norm": + case "ProcessSavedUserRiskCalculatedScoreNorm": + case "process.saved_user.risk.static_level": + case "ProcessSavedUserRiskStaticLevel": + case "process.saved_user.risk.static_score": + case "ProcessSavedUserRiskStaticScore": + case "process.saved_user.risk.static_score_norm": + case "ProcessSavedUserRiskStaticScoreNorm": + case "process.real_user.domain": + case "ProcessRealUserDomain": + case "process.real_user.email": + case "ProcessRealUserEmail": + case "process.real_user.full_name": + case "ProcessRealUserFullName": + case "process.real_user.hash": + case "ProcessRealUserHash": + case "process.real_user.id": + case "ProcessRealUserId": + case "process.real_user.name": + case "ProcessRealUserName": + case "process.real_user.group.domain": + case "ProcessRealUserGroupDomain": + case "process.real_user.group.id": + case "ProcessRealUserGroupId": + case "process.real_user.group.name": + case "ProcessRealUserGroupName": + case "process.real_user.risk.calculated_level": + case "ProcessRealUserRiskCalculatedLevel": + case "process.real_user.risk.calculated_score": + case "ProcessRealUserRiskCalculatedScore": + case "process.real_user.risk.calculated_score_norm": + case "ProcessRealUserRiskCalculatedScoreNorm": + case "process.real_user.risk.static_level": + case "ProcessRealUserRiskStaticLevel": + case "process.real_user.risk.static_score": + case "ProcessRealUserRiskStaticScore": + case "process.real_user.risk.static_score_norm": + case "ProcessRealUserRiskStaticScoreNorm": + case "process.attested_user.domain": + case "ProcessAttestedUserDomain": + case "process.attested_user.email": + case "ProcessAttestedUserEmail": + case "process.attested_user.full_name": + case "ProcessAttestedUserFullName": + case "process.attested_user.hash": + case "ProcessAttestedUserHash": + case "process.attested_user.id": + case "ProcessAttestedUserId": + case "process.attested_user.name": + case "ProcessAttestedUserName": + case "process.attested_user.group.domain": + case "ProcessAttestedUserGroupDomain": + case "process.attested_user.group.id": + case "ProcessAttestedUserGroupId": + case "process.attested_user.group.name": + case "ProcessAttestedUserGroupName": + case "process.attested_user.risk.calculated_level": + case "ProcessAttestedUserRiskCalculatedLevel": + case "process.attested_user.risk.calculated_score": + case "ProcessAttestedUserRiskCalculatedScore": + case "process.attested_user.risk.calculated_score_norm": + case "ProcessAttestedUserRiskCalculatedScoreNorm": + case "process.attested_user.risk.static_level": + case "ProcessAttestedUserRiskStaticLevel": + case "process.attested_user.risk.static_score": + case "ProcessAttestedUserRiskStaticScore": + case "process.attested_user.risk.static_score_norm": + case "ProcessAttestedUserRiskStaticScoreNorm": return TrySetProcess(document, path, value); case "registry.data.bytes": case "RegistryDataBytes": @@ -1414,6 +2168,62 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ServerSubdomain": case "server.top_level_domain": case "ServerTopLevelDomain": + case "server.as.number": + case "ServerAsNumber": + case "server.as.organization.name": + case "ServerAsOrganizationName": + case "server.geo.city_name": + case "ServerGeoCityName": + case "server.geo.continent_code": + case "ServerGeoContinentCode": + case "server.geo.continent_name": + case "ServerGeoContinentName": + case "server.geo.country_iso_code": + case "ServerGeoCountryIsoCode": + case "server.geo.country_name": + case "ServerGeoCountryName": + case "server.geo.location": + case "ServerGeoLocation": + case "server.geo.name": + case "ServerGeoName": + case "server.geo.postal_code": + case "ServerGeoPostalCode": + case "server.geo.region_iso_code": + case "ServerGeoRegionIsoCode": + case "server.geo.region_name": + case "ServerGeoRegionName": + case "server.geo.timezone": + case "ServerGeoTimezone": + case "server.user.domain": + case "ServerUserDomain": + case "server.user.email": + case "ServerUserEmail": + case "server.user.full_name": + case "ServerUserFullName": + case "server.user.hash": + case "ServerUserHash": + case "server.user.id": + case "ServerUserId": + case "server.user.name": + case "ServerUserName": + case "server.user.group.domain": + case "ServerUserGroupDomain": + case "server.user.group.id": + case "ServerUserGroupId": + case "server.user.group.name": + case "ServerUserGroupName": + case "server.user.risk.calculated_level": + case "ServerUserRiskCalculatedLevel": + case "server.user.risk.calculated_score": + case "ServerUserRiskCalculatedScore": + case "server.user.risk.calculated_score_norm": + case "ServerUserRiskCalculatedScoreNorm": + case "server.user.risk.static_level": + case "ServerUserRiskStaticLevel": + case "server.user.risk.static_score": + case "ServerUserRiskStaticScore": + case "server.user.risk.static_score_norm": + case "ServerUserRiskStaticScoreNorm": return TrySetServer(document, path, value); case "service.address": case "ServiceAddress": @@ -1460,6 +2270,62 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "SourceSubdomain": case "source.top_level_domain": case "SourceTopLevelDomain": + case "source.as.number": + case "SourceAsNumber": + case "source.as.organization.name": + case "SourceAsOrganizationName": + case "source.geo.city_name": + case "SourceGeoCityName": + case "source.geo.continent_code": + case "SourceGeoContinentCode": + case "source.geo.continent_name": + case "SourceGeoContinentName": + case "source.geo.country_iso_code": + case "SourceGeoCountryIsoCode": + case "source.geo.country_name": + case "SourceGeoCountryName": + case "source.geo.location": + case "SourceGeoLocation": + case "source.geo.name": + case "SourceGeoName": + case "source.geo.postal_code": + case "SourceGeoPostalCode": + case "source.geo.region_iso_code": + case "SourceGeoRegionIsoCode": + case "source.geo.region_name": + case "SourceGeoRegionName": + case "source.geo.timezone": + case "SourceGeoTimezone": + case "source.user.domain": + case "SourceUserDomain": + case "source.user.email": + case "SourceUserEmail": + case "source.user.full_name": + case "SourceUserFullName": + case "source.user.hash": + case "SourceUserHash": + case "source.user.id": + case "SourceUserId": + case "source.user.name": + case "SourceUserName": + case "source.user.group.domain": + case "SourceUserGroupDomain": + case "source.user.group.id": + case "SourceUserGroupId": + case "source.user.group.name": + case "SourceUserGroupName": + case "source.user.risk.calculated_level": + case "SourceUserRiskCalculatedLevel": + case "source.user.risk.calculated_score": + case "SourceUserRiskCalculatedScore": + case "source.user.risk.calculated_score_norm": + case "SourceUserRiskCalculatedScoreNorm": + case "source.user.risk.static_level": + case "SourceUserRiskStaticLevel": + case "source.user.risk.static_score": + case "SourceUserRiskStaticScore": + case "source.user.risk.static_score_norm": + case "SourceUserRiskStaticScoreNorm": return TrySetSource(document, path, value); case "threat.feed.dashboard_id": case "ThreatFeedDashboardId": @@ -1517,6 +2383,282 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "ThreatSoftwareReference": case "threat.software.type": case "ThreatSoftwareType": + case "threat.indicator.x509.issuer.distinguished_name": + case "ThreatIndicatorX509IssuerDistinguishedName": + case "threat.indicator.x509.not_after": + case "ThreatIndicatorX509NotAfter": + case "threat.indicator.x509.not_before": + case "ThreatIndicatorX509NotBefore": + case "threat.indicator.x509.public_key_algorithm": + case "ThreatIndicatorX509PublicKeyAlgorithm": + case "threat.indicator.x509.public_key_curve": + case "ThreatIndicatorX509PublicKeyCurve": + case "threat.indicator.x509.public_key_exponent": + case "ThreatIndicatorX509PublicKeyExponent": + case "threat.indicator.x509.public_key_size": + case "ThreatIndicatorX509PublicKeySize": + case "threat.indicator.x509.serial_number": + case "ThreatIndicatorX509SerialNumber": + case "threat.indicator.x509.signature_algorithm": + case "ThreatIndicatorX509SignatureAlgorithm": + case "threat.indicator.x509.subject.distinguished_name": + case "ThreatIndicatorX509SubjectDistinguishedName": + case "threat.indicator.x509.version_number": + case "ThreatIndicatorX509VersionNumber": + case "threat.indicator.as.number": + case "ThreatIndicatorAsNumber": + case "threat.indicator.as.organization.name": + case "ThreatIndicatorAsOrganizationName": + case "threat.indicator.file.accessed": + case "ThreatIndicatorFileAccessed": + case "threat.indicator.file.created": + case "ThreatIndicatorFileCreated": + case "threat.indicator.file.ctime": + case "ThreatIndicatorFileCtime": + case "threat.indicator.file.device": + case "ThreatIndicatorFileDevice": + case "threat.indicator.file.directory": + case "ThreatIndicatorFileDirectory": + case "threat.indicator.file.drive_letter": + case "ThreatIndicatorFileDriveLetter": + case "threat.indicator.file.extension": + case "ThreatIndicatorFileExtension": + case "threat.indicator.file.fork_name": + case "ThreatIndicatorFileForkName": + case "threat.indicator.file.gid": + case "ThreatIndicatorFileGid": + case "threat.indicator.file.group": + case "ThreatIndicatorFileGroup": + case "threat.indicator.file.inode": + case "ThreatIndicatorFileInode": + case "threat.indicator.file.mime_type": + case "ThreatIndicatorFileMimeType": + case "threat.indicator.file.mode": + case "ThreatIndicatorFileMode": + case "threat.indicator.file.mtime": + case "ThreatIndicatorFileMtime": + case "threat.indicator.file.name": + case "ThreatIndicatorFileName": + case "threat.indicator.file.owner": + case "ThreatIndicatorFileOwner": + case "threat.indicator.file.path": + case "ThreatIndicatorFilePath": + case "threat.indicator.file.size": + case "ThreatIndicatorFileSize": + case "threat.indicator.file.target_path": + case "ThreatIndicatorFileTargetPath": + case "threat.indicator.file.type": + case "ThreatIndicatorFileType": + case "threat.indicator.file.uid": + case "ThreatIndicatorFileUid": + case "threat.indicator.file.hash.md5": + case "ThreatIndicatorFileHashMd5": + case "threat.indicator.file.hash.sha1": + case "ThreatIndicatorFileHashSha1": + case "threat.indicator.file.hash.sha256": + case "ThreatIndicatorFileHashSha256": + case "threat.indicator.file.hash.sha384": + case "ThreatIndicatorFileHashSha384": + case "threat.indicator.file.hash.sha512": + case "ThreatIndicatorFileHashSha512": + case "threat.indicator.file.hash.ssdeep": + case "ThreatIndicatorFileHashSsdeep": + case "threat.indicator.file.hash.tlsh": + case "ThreatIndicatorFileHashTlsh": + case "threat.indicator.file.pe.architecture": + case "ThreatIndicatorFilePeArchitecture": + case "threat.indicator.file.pe.company": + case "ThreatIndicatorFilePeCompany": + case "threat.indicator.file.pe.description": + case "ThreatIndicatorFilePeDescription": + case "threat.indicator.file.pe.file_version": + case "ThreatIndicatorFilePeFileVersion": + case "threat.indicator.file.pe.go_import_hash": + case "ThreatIndicatorFilePeGoImportHash": + case "threat.indicator.file.pe.go_imports": + case "ThreatIndicatorFilePeGoImports": + case "threat.indicator.file.pe.go_imports_names_entropy": + case "ThreatIndicatorFilePeGoImportsNamesEntropy": + case "threat.indicator.file.pe.go_imports_names_var_entropy": + case "ThreatIndicatorFilePeGoImportsNamesVarEntropy": + case "threat.indicator.file.pe.go_stripped": + case "ThreatIndicatorFilePeGoStripped": + case "threat.indicator.file.pe.imphash": + case "ThreatIndicatorFilePeImphash": + case "threat.indicator.file.pe.import_hash": + case "ThreatIndicatorFilePeImportHash": + case "threat.indicator.file.pe.imports_names_entropy": + case "ThreatIndicatorFilePeImportsNamesEntropy": + case "threat.indicator.file.pe.imports_names_var_entropy": + case "ThreatIndicatorFilePeImportsNamesVarEntropy": + case "threat.indicator.file.pe.original_file_name": + case "ThreatIndicatorFilePeOriginalFileName": + case "threat.indicator.file.pe.pehash": + case "ThreatIndicatorFilePePehash": + case "threat.indicator.file.pe.product": + case "ThreatIndicatorFilePeProduct": + case "threat.indicator.file.x509.issuer.distinguished_name": + case "ThreatIndicatorFileX509IssuerDistinguishedName": + case "threat.indicator.file.x509.not_after": + case "ThreatIndicatorFileX509NotAfter": + case "threat.indicator.file.x509.not_before": + case "ThreatIndicatorFileX509NotBefore": + case "threat.indicator.file.x509.public_key_algorithm": + case "ThreatIndicatorFileX509PublicKeyAlgorithm": + case "threat.indicator.file.x509.public_key_curve": + case "ThreatIndicatorFileX509PublicKeyCurve": + case "threat.indicator.file.x509.public_key_exponent": + case "ThreatIndicatorFileX509PublicKeyExponent": + case "threat.indicator.file.x509.public_key_size": + case "ThreatIndicatorFileX509PublicKeySize": + case "threat.indicator.file.x509.serial_number": + case "ThreatIndicatorFileX509SerialNumber": + case "threat.indicator.file.x509.signature_algorithm": + case "ThreatIndicatorFileX509SignatureAlgorithm": + case "threat.indicator.file.x509.subject.distinguished_name": + case "ThreatIndicatorFileX509SubjectDistinguishedName": + case "threat.indicator.file.x509.version_number": + case "ThreatIndicatorFileX509VersionNumber": + case "threat.indicator.file.code_signature.digest_algorithm": + case "ThreatIndicatorFileCodeSignatureDigestAlgorithm": + case "threat.indicator.file.code_signature.exists": + case "ThreatIndicatorFileCodeSignatureExists": + case "threat.indicator.file.code_signature.signing_id": + case "ThreatIndicatorFileCodeSignatureSigningId": + case "threat.indicator.file.code_signature.status": + case "ThreatIndicatorFileCodeSignatureStatus": + case "threat.indicator.file.code_signature.subject_name": + case "ThreatIndicatorFileCodeSignatureSubjectName": + case "threat.indicator.file.code_signature.team_id": + case "ThreatIndicatorFileCodeSignatureTeamId": + case "threat.indicator.file.code_signature.timestamp": + case "ThreatIndicatorFileCodeSignatureTimestamp": + case "threat.indicator.file.code_signature.trusted": + case "ThreatIndicatorFileCodeSignatureTrusted": + case "threat.indicator.file.code_signature.valid": + case "ThreatIndicatorFileCodeSignatureValid": + case "threat.indicator.file.elf.architecture": + case "ThreatIndicatorFileElfArchitecture": + case "threat.indicator.file.elf.byte_order": + case "ThreatIndicatorFileElfByteOrder": + case "threat.indicator.file.elf.cpu_type": + case "ThreatIndicatorFileElfCpuType": + case "threat.indicator.file.elf.creation_date": + case "ThreatIndicatorFileElfCreationDate": + case "threat.indicator.file.elf.go_import_hash": + case "ThreatIndicatorFileElfGoImportHash": + case "threat.indicator.file.elf.go_imports": + case "ThreatIndicatorFileElfGoImports": + case "threat.indicator.file.elf.go_imports_names_entropy": + case "ThreatIndicatorFileElfGoImportsNamesEntropy": + case "threat.indicator.file.elf.go_imports_names_var_entropy": + case "ThreatIndicatorFileElfGoImportsNamesVarEntropy": + case "threat.indicator.file.elf.go_stripped": + case "ThreatIndicatorFileElfGoStripped": + case "threat.indicator.file.elf.header.abi_version": + case "ThreatIndicatorFileElfHeaderAbiVersion": + case "threat.indicator.file.elf.header.class": + case "ThreatIndicatorFileElfHeaderClass": + case "threat.indicator.file.elf.header.data": + case "ThreatIndicatorFileElfHeaderData": + case "threat.indicator.file.elf.header.entrypoint": + case "ThreatIndicatorFileElfHeaderEntrypoint": + case "threat.indicator.file.elf.header.object_version": + case "ThreatIndicatorFileElfHeaderObjectVersion": + case "threat.indicator.file.elf.header.os_abi": + case "ThreatIndicatorFileElfHeaderOsAbi": + case "threat.indicator.file.elf.header.type": + case "ThreatIndicatorFileElfHeaderType": + case "threat.indicator.file.elf.header.version": + case "ThreatIndicatorFileElfHeaderVersion": + case "threat.indicator.file.elf.import_hash": + case "ThreatIndicatorFileElfImportHash": + case "threat.indicator.file.elf.imports_names_entropy": + case "ThreatIndicatorFileElfImportsNamesEntropy": + case "threat.indicator.file.elf.imports_names_var_entropy": + case "ThreatIndicatorFileElfImportsNamesVarEntropy": + case "threat.indicator.file.elf.telfhash": + case "ThreatIndicatorFileElfTelfhash": + case "threat.indicator.file.macho.go_import_hash": + case "ThreatIndicatorFileMachoGoImportHash": + case "threat.indicator.file.macho.go_imports": + case "ThreatIndicatorFileMachoGoImports": + case "threat.indicator.file.macho.go_imports_names_entropy": + case "ThreatIndicatorFileMachoGoImportsNamesEntropy": + case "threat.indicator.file.macho.go_imports_names_var_entropy": + case "ThreatIndicatorFileMachoGoImportsNamesVarEntropy": + case "threat.indicator.file.macho.go_stripped": + case "ThreatIndicatorFileMachoGoStripped": + case "threat.indicator.file.macho.import_hash": + case "ThreatIndicatorFileMachoImportHash": + case "threat.indicator.file.macho.imports_names_entropy": + case "ThreatIndicatorFileMachoImportsNamesEntropy": + case "threat.indicator.file.macho.imports_names_var_entropy": + case "ThreatIndicatorFileMachoImportsNamesVarEntropy": + case "threat.indicator.file.macho.symhash": + case "ThreatIndicatorFileMachoSymhash": + case "threat.indicator.geo.city_name": + case "ThreatIndicatorGeoCityName": + case "threat.indicator.geo.continent_code": + case "ThreatIndicatorGeoContinentCode": + case "threat.indicator.geo.continent_name": + case "ThreatIndicatorGeoContinentName": + case "threat.indicator.geo.country_iso_code": + case "ThreatIndicatorGeoCountryIsoCode": + case "threat.indicator.geo.country_name": + case "ThreatIndicatorGeoCountryName": + case "threat.indicator.geo.location": + case "ThreatIndicatorGeoLocation": + case "threat.indicator.geo.name": + case "ThreatIndicatorGeoName": + case "threat.indicator.geo.postal_code": + case "ThreatIndicatorGeoPostalCode": + case "threat.indicator.geo.region_iso_code": + case "ThreatIndicatorGeoRegionIsoCode": + case "threat.indicator.geo.region_name": + case "ThreatIndicatorGeoRegionName": + case "threat.indicator.geo.timezone": + case "ThreatIndicatorGeoTimezone": + case "threat.indicator.registry.data.bytes": + case "ThreatIndicatorRegistryDataBytes": + case "threat.indicator.registry.data.type": + case "ThreatIndicatorRegistryDataType": + case "threat.indicator.registry.hive": + case "ThreatIndicatorRegistryHive": + case "threat.indicator.registry.key": + case "ThreatIndicatorRegistryKey": + case "threat.indicator.registry.path": + case "ThreatIndicatorRegistryPath": + case "threat.indicator.registry.value": + case "ThreatIndicatorRegistryValue": + case "threat.indicator.url.domain": + case "ThreatIndicatorUrlDomain": + case "threat.indicator.url.extension": + case "ThreatIndicatorUrlExtension": + case "threat.indicator.url.fragment": + case "ThreatIndicatorUrlFragment": + case "threat.indicator.url.full": + case "ThreatIndicatorUrlFull": + case "threat.indicator.url.original": + case "ThreatIndicatorUrlOriginal": + case "threat.indicator.url.password": + case "ThreatIndicatorUrlPassword": + case "threat.indicator.url.path": + case "ThreatIndicatorUrlPath": + case "threat.indicator.url.port": + case "ThreatIndicatorUrlPort": + case "threat.indicator.url.query": + case "ThreatIndicatorUrlQuery": + case "threat.indicator.url.registered_domain": + case "ThreatIndicatorUrlRegisteredDomain": + case "threat.indicator.url.scheme": + case "ThreatIndicatorUrlScheme": + case "threat.indicator.url.subdomain": + case "ThreatIndicatorUrlSubdomain": + case "threat.indicator.url.top_level_domain": + case "ThreatIndicatorUrlTopLevelDomain": + case "threat.indicator.url.username": + case "ThreatIndicatorUrlUsername": return TrySetThreat(document, path, value); case "tls.cipher": case "TlsCipher": @@ -1570,6 +2712,28 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "TlsVersion": case "tls.version_protocol": case "TlsVersionProtocol": + case "tls.client.x509.issuer.distinguished_name": + case "TlsClientX509IssuerDistinguishedName": + case "tls.client.x509.not_after": + case "TlsClientX509NotAfter": + case "tls.client.x509.not_before": + case "TlsClientX509NotBefore": + case "tls.client.x509.public_key_algorithm": + case "TlsClientX509PublicKeyAlgorithm": + case "tls.client.x509.public_key_curve": + case "TlsClientX509PublicKeyCurve": + case "tls.client.x509.public_key_exponent": + case "TlsClientX509PublicKeyExponent": + case "tls.client.x509.public_key_size": + case "TlsClientX509PublicKeySize": + case "tls.client.x509.serial_number": + case "TlsClientX509SerialNumber": + case "tls.client.x509.signature_algorithm": + case "TlsClientX509SignatureAlgorithm": + case "tls.client.x509.subject.distinguished_name": + case "TlsClientX509SubjectDistinguishedName": + case "tls.client.x509.version_number": + case "TlsClientX509VersionNumber": return TrySetTls(document, path, value); case "url.domain": case "UrlDomain": @@ -1612,6 +2776,24 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "UserId": case "user.name": case "UserName": + case "user.group.domain": + case "UserGroupDomain": + case "user.group.id": + case "UserGroupId": + case "user.group.name": + case "UserGroupName": + case "user.risk.calculated_level": + case "UserRiskCalculatedLevel": + case "user.risk.calculated_score": + case "UserRiskCalculatedScore": + case "user.risk.calculated_score_norm": + case "UserRiskCalculatedScoreNorm": + case "user.risk.static_level": + case "UserRiskStaticLevel": + case "user.risk.static_score": + case "UserRiskStaticScore": + case "user.risk.static_score_norm": + case "UserRiskStaticScoreNorm": return TrySetUser(document, path, value); case "user_agent.device.name": case "UserAgentDeviceName": @@ -1621,6 +2803,20 @@ internal static bool TrySet(EcsDocument document, string path, object value) case "UserAgentOriginal": case "user_agent.version": case "UserAgentVersion": + case "user_agent.os.family": + case "UserAgentOsFamily": + case "user_agent.os.full": + case "UserAgentOsFull": + case "user_agent.os.kernel": + case "UserAgentOsKernel": + case "user_agent.os.name": + case "UserAgentOsName": + case "user_agent.os.platform": + case "UserAgentOsPlatform": + case "user_agent.os.type": + case "UserAgentOsType": + case "user_agent.os.version": + case "UserAgentOsVersion": return TrySetUserAgent(document, path, value); case "vlan.id": case "VlanId": @@ -1699,7 +2895,7 @@ public static bool TrySetEcsDocument(EcsDocument document, string path, object v return assign != null && assign(document, value); } - public static bool TrySetAgent(EcsDocument document, string path, object value) + public static Func TryAssignAgent(string path) { Func assign = path switch { @@ -1717,15 +2913,20 @@ public static bool TrySetAgent(EcsDocument document, string path, object value) "AgentVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetAgent(EcsDocument document, string path, object value) + { + var assign = TryAssignAgent(path); if (assign == null) return false; - + var entity = document.Agent ?? new Agent(); var assigned = assign(entity, value); if (assigned) document.Agent = entity; return assigned; } - public static bool TrySetAs(EcsDocument document, string path, object value) + public static Func TryAssignAs(string path) { Func assign = path switch { @@ -1735,15 +2936,20 @@ public static bool TrySetAs(EcsDocument document, string path, object value) "AsOrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OrganizationName = p), _ => null }; + return assign; + } + public static bool TrySetAs(IAs document, string path, object value) + { + var assign = TryAssignAs(path); if (assign == null) return false; - + var entity = document.As ?? new As(); var assigned = assign(entity, value); if (assigned) document.As = entity; return assigned; } - public static bool TrySetClient(EcsDocument document, string path, object value) + public static Func TryAssignClient(string path) { Func assign = path switch { @@ -1771,17 +2977,78 @@ public static bool TrySetClient(EcsDocument document, string path, object value) "ClientSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "client.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ClientTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "client.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "ClientAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "client.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "ClientAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "client.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "ClientGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "client.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "ClientGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "client.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "ClientGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "client.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "ClientGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "client.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "ClientGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "client.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "ClientGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "client.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "ClientGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "client.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "ClientGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "client.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "ClientGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "client.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "ClientGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "client.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "ClientGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "client.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "ClientUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "client.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "ClientUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "client.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "ClientUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "client.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "ClientUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "client.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "ClientUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "client.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "ClientUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "client.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "ClientUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "client.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "ClientUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "client.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "ClientUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "client.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "ClientUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "client.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "ClientUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "client.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "ClientUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "client.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "ClientUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "client.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "ClientUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "client.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "ClientUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; + return assign; + } + public static bool TrySetClient(EcsDocument document, string path, object value) + { + var assign = TryAssignClient(path); if (assign == null) return false; - + var entity = document.Client ?? new Client(); var assigned = assign(entity, value); if (assigned) document.Client = entity; return assigned; } - public static bool TrySetCloud(EcsDocument document, string path, object value) + public static Func TryAssignCloud(string path) { Func assign = path switch { @@ -1809,15 +3076,20 @@ public static bool TrySetCloud(EcsDocument document, string path, object value) "CloudServiceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ServiceName = p), _ => null }; + return assign; + } + public static bool TrySetCloud(EcsDocument document, string path, object value) + { + var assign = TryAssignCloud(path); if (assign == null) return false; - + var entity = document.Cloud ?? new Cloud(); var assigned = assign(entity, value); if (assigned) document.Cloud = entity; return assigned; } - public static bool TrySetCodeSignature(EcsDocument document, string path, object value) + public static Func TryAssignCodeSignature(string path) { Func assign = path switch { @@ -1841,15 +3113,20 @@ public static bool TrySetCodeSignature(EcsDocument document, string path, object "CodeSignatureValid" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.Valid = p), _ => null }; + return assign; + } + public static bool TrySetCodeSignature(ICodeSignature document, string path, object value) + { + var assign = TryAssignCodeSignature(path); if (assign == null) return false; - + var entity = document.CodeSignature ?? new CodeSignature(); var assigned = assign(entity, value); if (assigned) document.CodeSignature = entity; return assigned; } - public static bool TrySetContainer(EcsDocument document, string path, object value) + public static Func TryAssignContainer(string path) { Func assign = path switch { @@ -1877,15 +3154,20 @@ public static bool TrySetContainer(EcsDocument document, string path, object val "ContainerSecurityContextPrivileged" => static (e, v) => TrySetBool(e, v, static (ee, p) => ee.SecurityContextPrivileged = p), _ => null }; + return assign; + } + public static bool TrySetContainer(EcsDocument document, string path, object value) + { + var assign = TryAssignContainer(path); if (assign == null) return false; - + var entity = document.Container ?? new Container(); var assigned = assign(entity, value); if (assigned) document.Container = entity; return assigned; } - public static bool TrySetDataStream(EcsDocument document, string path, object value) + public static Func TryAssignDataStream(string path) { Func assign = path switch { @@ -1897,15 +3179,20 @@ public static bool TrySetDataStream(EcsDocument document, string path, object va "DataStreamType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetDataStream(EcsDocument document, string path, object value) + { + var assign = TryAssignDataStream(path); if (assign == null) return false; - + var entity = document.DataStream ?? new DataStream(); var assigned = assign(entity, value); if (assigned) document.DataStream = entity; return assigned; } - public static bool TrySetDestination(EcsDocument document, string path, object value) + public static Func TryAssignDestination(string path) { Func assign = path switch { @@ -1933,17 +3220,78 @@ public static bool TrySetDestination(EcsDocument document, string path, object v "DestinationSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "destination.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "DestinationTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "destination.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "DestinationAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "destination.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "DestinationAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "destination.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "DestinationGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "destination.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "DestinationGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "destination.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "DestinationGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "destination.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "DestinationGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "destination.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "DestinationGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "destination.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "DestinationGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "destination.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "DestinationGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "destination.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "DestinationGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "destination.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "DestinationGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "destination.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "DestinationGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "destination.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "DestinationGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "destination.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "DestinationUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "destination.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "DestinationUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "destination.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "DestinationUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "destination.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "DestinationUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "destination.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "DestinationUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "destination.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "DestinationUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "destination.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "DestinationUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "destination.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "DestinationUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "destination.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "DestinationUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "destination.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "DestinationUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "destination.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "DestinationUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "destination.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "DestinationUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "destination.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "DestinationUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "destination.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "DestinationUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "destination.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "DestinationUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; + return assign; + } + public static bool TrySetDestination(EcsDocument document, string path, object value) + { + var assign = TryAssignDestination(path); if (assign == null) return false; - + var entity = document.Destination ?? new Destination(); var assigned = assign(entity, value); if (assigned) document.Destination = entity; return assigned; } - public static bool TrySetDevice(EcsDocument document, string path, object value) + public static Func TryAssignDevice(string path) { Func assign = path switch { @@ -1957,15 +3305,20 @@ public static bool TrySetDevice(EcsDocument document, string path, object value) "DeviceModelName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.ModelName = p), _ => null }; + return assign; + } + public static bool TrySetDevice(EcsDocument document, string path, object value) + { + var assign = TryAssignDevice(path); if (assign == null) return false; - + var entity = document.Device ?? new Device(); var assigned = assign(entity, value); if (assigned) document.Device = entity; return assigned; } - public static bool TrySetDll(EcsDocument document, string path, object value) + public static Func TryAssignDll(string path) { Func assign = path switch { @@ -1973,17 +3326,86 @@ public static bool TrySetDll(EcsDocument document, string path, object value) "DllName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "dll.path" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), "DllPath" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Path = p), + "dll.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "DllHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "dll.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "DllHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "dll.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "DllHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "dll.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "DllHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "dll.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "DllHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "dll.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "DllHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "dll.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "DllHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "dll.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "DllPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "dll.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "DllPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "dll.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "DllPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "dll.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "DllPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "dll.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "DllPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "dll.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "DllPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "dll.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "DllPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "DllPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "DllPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "dll.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "DllPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "dll.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "DllPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "dll.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "DllPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "DllPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "dll.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "DllPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "dll.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "DllPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "dll.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "DllPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "dll.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "dll.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "DllCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), _ => null }; + return assign; + } + public static bool TrySetDll(EcsDocument document, string path, object value) + { + var assign = TryAssignDll(path); if (assign == null) return false; - + var entity = document.Dll ?? new Dll(); var assigned = assign(entity, value); if (assigned) document.Dll = entity; return assigned; } - public static bool TrySetDns(EcsDocument document, string path, object value) + public static Func TryAssignDns(string path) { Func assign = path switch { @@ -2009,15 +3431,20 @@ public static bool TrySetDns(EcsDocument document, string path, object value) "DnsType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetDns(EcsDocument document, string path, object value) + { + var assign = TryAssignDns(path); if (assign == null) return false; - + var entity = document.Dns ?? new Dns(); var assigned = assign(entity, value); if (assigned) document.Dns = entity; return assigned; } - public static bool TrySetEcs(EcsDocument document, string path, object value) + public static Func TryAssignEcs(string path) { Func assign = path switch { @@ -2025,15 +3452,20 @@ public static bool TrySetEcs(EcsDocument document, string path, object value) "EcsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetEcs(EcsDocument document, string path, object value) + { + var assign = TryAssignEcs(path); if (assign == null) return false; - + var entity = document.Ecs ?? new Ecs(); var assigned = assign(entity, value); if (assigned) document.Ecs = entity; return assigned; } - public static bool TrySetElf(EcsDocument document, string path, object value) + public static Func TryAssignElf(string path) { Func assign = path switch { @@ -2081,15 +3513,20 @@ public static bool TrySetElf(EcsDocument document, string path, object value) "ElfTelfhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Telfhash = p), _ => null }; + return assign; + } + public static bool TrySetElf(IElf document, string path, object value) + { + var assign = TryAssignElf(path); if (assign == null) return false; - + var entity = document.Elf ?? new Elf(); var assigned = assign(entity, value); if (assigned) document.Elf = entity; return assigned; } - public static bool TrySetEmail(EcsDocument document, string path, object value) + public static Func TryAssignEmail(string path) { Func assign = path switch { @@ -2113,15 +3550,20 @@ public static bool TrySetEmail(EcsDocument document, string path, object value) "EmailXMailer" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.XMailer = p), _ => null }; + return assign; + } + public static bool TrySetEmail(EcsDocument document, string path, object value) + { + var assign = TryAssignEmail(path); if (assign == null) return false; - + var entity = document.Email ?? new Email(); var assigned = assign(entity, value); if (assigned) document.Email = entity; return assigned; } - public static bool TrySetError(EcsDocument document, string path, object value) + public static Func TryAssignError(string path) { Func assign = path switch { @@ -2137,15 +3579,20 @@ public static bool TrySetError(EcsDocument document, string path, object value) "ErrorType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetError(EcsDocument document, string path, object value) + { + var assign = TryAssignError(path); if (assign == null) return false; - + var entity = document.Error ?? new Error(); var assigned = assign(entity, value); if (assigned) document.Error = entity; return assigned; } - public static bool TrySetEvent(EcsDocument document, string path, object value) + public static Func TryAssignEvent(string path) { Func assign = path switch { @@ -2199,15 +3646,20 @@ public static bool TrySetEvent(EcsDocument document, string path, object value) "EventUrl" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Url = p), _ => null }; + return assign; + } + public static bool TrySetEvent(EcsDocument document, string path, object value) + { + var assign = TryAssignEvent(path); if (assign == null) return false; - + var entity = document.Event ?? new Event(); var assigned = assign(entity, value); if (assigned) document.Event = entity; return assigned; } - public static bool TrySetFaas(EcsDocument document, string path, object value) + public static Func TryAssignFaas(string path) { Func assign = path switch { @@ -2227,15 +3679,20 @@ public static bool TrySetFaas(EcsDocument document, string path, object value) "FaasVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetFaas(EcsDocument document, string path, object value) + { + var assign = TryAssignFaas(path); if (assign == null) return false; - + var entity = document.Faas ?? new Faas(); var assigned = assign(entity, value); if (assigned) document.Faas = entity; return assigned; } - public static bool TrySetFile(EcsDocument document, string path, object value) + public static Func TryAssignFile(string path) { Func assign = path switch { @@ -2281,17 +3738,168 @@ public static bool TrySetFile(EcsDocument document, string path, object value) "FileType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "file.uid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), "FileUid" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Uid = p), + "file.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "FileHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "file.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "FileHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "file.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "FileHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "file.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "FileHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "file.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "FileHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "file.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "FileHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "file.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "FileHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "file.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "FilePeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "file.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "FilePeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "file.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "FilePeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "file.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "FilePeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "file.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "FilePeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "file.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "FilePeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "file.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "FilePeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "FilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "file.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "FilePeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "file.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "FilePeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "file.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "FilePeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "file.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "FilePeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "file.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "FilePeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "file.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "FilePeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "file.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "FilePePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "file.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "FilePeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "file.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ??= new X509(),v), + "FileX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.X509 ??= new X509(),v), + "file.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ??= new X509(),v), + "FileX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.X509 ??= new X509(),v), + "file.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ??= new X509(),v), + "FileX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.X509 ??= new X509(),v), + "file.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ??= new X509(),v), + "FileX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.X509 ??= new X509(),v), + "file.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ??= new X509(),v), + "FileX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.X509 ??= new X509(),v), + "file.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ??= new X509(),v), + "FileX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.X509 ??= new X509(),v), + "file.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ??= new X509(),v), + "FileX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.X509 ??= new X509(),v), + "file.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ??= new X509(),v), + "FileX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.X509 ??= new X509(),v), + "file.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ??= new X509(),v), + "FileX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.X509 ??= new X509(),v), + "file.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ??= new X509(),v), + "FileX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.X509 ??= new X509(),v), + "file.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ??= new X509(),v), + "FileX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.X509 ??= new X509(),v), + "file.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "file.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "FileCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "file.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "FileElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "file.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "FileElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "file.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "FileElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "file.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "FileElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "file.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "FileElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "file.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "FileElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "file.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "FileElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "FileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "file.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "FileElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "file.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "FileElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "file.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "FileElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "file.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "FileElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "file.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "FileElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "file.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "FileElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "file.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "FileElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "file.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "FileElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "file.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "FileElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "file.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "FileElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "file.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "FileElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "file.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "FileElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "file.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "FileElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "file.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "FileMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "file.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "FileMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "file.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "FileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "FileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "file.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "FileMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "file.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "FileMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "file.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "FileMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "file.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "FileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "file.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), + "FileMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), _ => null }; + return assign; + } + public static bool TrySetFile(EcsDocument document, string path, object value) + { + var assign = TryAssignFile(path); if (assign == null) return false; - + var entity = document.File ?? new File(); var assigned = assign(entity, value); if (assigned) document.File = entity; return assigned; } - public static bool TrySetGeo(EcsDocument document, string path, object value) + public static Func TryAssignGeo(string path) { Func assign = path switch { @@ -2305,6 +3913,8 @@ public static bool TrySetGeo(EcsDocument document, string path, object value) "GeoCountryIsoCode" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryIsoCode = p), "geo.country_name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), "GeoCountryName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.CountryName = p), + "geo.location" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Location = p), + "GeoLocation" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Location = p), "geo.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "GeoName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "geo.postal_code" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.PostalCode = p), @@ -2317,15 +3927,20 @@ public static bool TrySetGeo(EcsDocument document, string path, object value) "GeoTimezone" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Timezone = p), _ => null }; + return assign; + } + public static bool TrySetGeo(IGeo document, string path, object value) + { + var assign = TryAssignGeo(path); if (assign == null) return false; - + var entity = document.Geo ?? new Geo(); var assigned = assign(entity, value); if (assigned) document.Geo = entity; return assigned; } - public static bool TrySetGroup(EcsDocument document, string path, object value) + public static Func TryAssignGroup(string path) { Func assign = path switch { @@ -2337,15 +3952,20 @@ public static bool TrySetGroup(EcsDocument document, string path, object value) "GroupName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetGroup(IGroup document, string path, object value) + { + var assign = TryAssignGroup(path); if (assign == null) return false; - + var entity = document.Group ?? new Group(); var assigned = assign(entity, value); if (assigned) document.Group = entity; return assigned; } - public static bool TrySetHash(EcsDocument document, string path, object value) + public static Func TryAssignHash(string path) { Func assign = path switch { @@ -2365,15 +3985,20 @@ public static bool TrySetHash(EcsDocument document, string path, object value) "HashTlsh" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Tlsh = p), _ => null }; + return assign; + } + public static bool TrySetHash(IHash document, string path, object value) + { + var assign = TryAssignHash(path); if (assign == null) return false; - + var entity = document.Hash ?? new Hash(); var assigned = assign(entity, value); if (assigned) document.Hash = entity; return assigned; } - public static bool TrySetHost(EcsDocument document, string path, object value) + public static Func TryAssignHost(string path) { Func assign = path switch { @@ -2409,17 +4034,70 @@ public static bool TrySetHost(EcsDocument document, string path, object value) "HostType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "host.uptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), "HostUptime" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Uptime = p), + "host.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "HostGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "host.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "HostGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "host.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "HostGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "host.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "HostGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "host.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "HostGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "host.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "HostGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "host.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "HostGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "host.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "HostGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "host.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "HostGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "host.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "HostGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "host.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "HostGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "host.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "HostOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "host.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "HostOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "host.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "HostOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "host.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "HostOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "host.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "HostOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "host.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "HostOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "host.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "HostOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "host.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "HostRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "host.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "HostRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "host.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "HostRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "host.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "HostRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "host.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "HostRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "host.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), + "HostRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), _ => null }; + return assign; + } + public static bool TrySetHost(EcsDocument document, string path, object value) + { + var assign = TryAssignHost(path); if (assign == null) return false; - + var entity = document.Host ?? new Host(); var assigned = assign(entity, value); if (assigned) document.Host = entity; return assigned; } - public static bool TrySetHttp(EcsDocument document, string path, object value) + public static Func TryAssignHttp(string path) { Func assign = path switch { @@ -2451,15 +4129,20 @@ public static bool TrySetHttp(EcsDocument document, string path, object value) "HttpVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetHttp(EcsDocument document, string path, object value) + { + var assign = TryAssignHttp(path); if (assign == null) return false; - + var entity = document.Http ?? new Http(); var assigned = assign(entity, value); if (assigned) document.Http = entity; return assigned; } - public static bool TrySetInterface(EcsDocument document, string path, object value) + public static Func TryAssignInterface(string path) { Func assign = path switch { @@ -2471,15 +4154,20 @@ public static bool TrySetInterface(EcsDocument document, string path, object val "InterfaceName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetInterface(EcsDocument document, string path, object value) + { + var assign = TryAssignInterface(path); if (assign == null) return false; - + var entity = document.Interface ?? new Interface(); var assigned = assign(entity, value); if (assigned) document.Interface = entity; return assigned; } - public static bool TrySetLog(EcsDocument document, string path, object value) + public static Func TryAssignLog(string path) { Func assign = path switch { @@ -2497,15 +4185,20 @@ public static bool TrySetLog(EcsDocument document, string path, object value) "LogOriginFunction" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.OriginFunction = p), _ => null }; + return assign; + } + public static bool TrySetLog(EcsDocument document, string path, object value) + { + var assign = TryAssignLog(path); if (assign == null) return false; - + var entity = document.Log ?? new Log(); var assigned = assign(entity, value); if (assigned) document.Log = entity; return assigned; } - public static bool TrySetMacho(EcsDocument document, string path, object value) + public static Func TryAssignMacho(string path) { Func assign = path switch { @@ -2529,15 +4222,20 @@ public static bool TrySetMacho(EcsDocument document, string path, object value) "MachoSymhash" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Symhash = p), _ => null }; + return assign; + } + public static bool TrySetMacho(IMacho document, string path, object value) + { + var assign = TryAssignMacho(path); if (assign == null) return false; - + var entity = document.Macho ?? new Macho(); var assigned = assign(entity, value); if (assigned) document.Macho = entity; return assigned; } - public static bool TrySetNetwork(EcsDocument document, string path, object value) + public static Func TryAssignNetwork(string path) { Func assign = path switch { @@ -2563,17 +4261,26 @@ public static bool TrySetNetwork(EcsDocument document, string path, object value "NetworkTransport" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Transport = p), "network.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), "NetworkType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), + "network.vlan.id" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ??= new Vlan(),v), + "NetworkVlanId" => static (e, v) => TryAssignVlan("vlan.id")(e.Vlan ??= new Vlan(),v), + "network.vlan.name" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ??= new Vlan(),v), + "NetworkVlanName" => static (e, v) => TryAssignVlan("vlan.name")(e.Vlan ??= new Vlan(),v), _ => null }; + return assign; + } + public static bool TrySetNetwork(EcsDocument document, string path, object value) + { + var assign = TryAssignNetwork(path); if (assign == null) return false; - + var entity = document.Network ?? new Network(); var assigned = assign(entity, value); if (assigned) document.Network = entity; return assigned; } - public static bool TrySetObserver(EcsDocument document, string path, object value) + public static Func TryAssignObserver(string path) { Func assign = path switch { @@ -2591,17 +4298,58 @@ public static bool TrySetObserver(EcsDocument document, string path, object valu "ObserverVendor" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Vendor = p), "observer.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "ObserverVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "observer.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "ObserverGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "observer.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "ObserverGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "observer.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "ObserverGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "observer.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "ObserverGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "observer.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "ObserverGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "observer.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "ObserverGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "observer.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "ObserverGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "observer.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "ObserverGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "observer.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "ObserverGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "observer.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "ObserverGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "observer.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "ObserverGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "observer.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "ObserverOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "observer.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "ObserverOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "observer.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "ObserverOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "observer.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "ObserverOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "observer.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "ObserverOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "observer.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "ObserverOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "observer.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "ObserverOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), _ => null }; + return assign; + } + public static bool TrySetObserver(EcsDocument document, string path, object value) + { + var assign = TryAssignObserver(path); if (assign == null) return false; - + var entity = document.Observer ?? new Observer(); var assigned = assign(entity, value); if (assigned) document.Observer = entity; return assigned; } - public static bool TrySetOrchestrator(EcsDocument document, string path, object value) + public static Func TryAssignOrchestrator(string path) { Func assign = path switch { @@ -2631,15 +4379,20 @@ public static bool TrySetOrchestrator(EcsDocument document, string path, object "OrchestratorType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Type = p), _ => null }; + return assign; + } + public static bool TrySetOrchestrator(EcsDocument document, string path, object value) + { + var assign = TryAssignOrchestrator(path); if (assign == null) return false; - + var entity = document.Orchestrator ?? new Orchestrator(); var assigned = assign(entity, value); if (assigned) document.Orchestrator = entity; return assigned; } - public static bool TrySetOrganization(EcsDocument document, string path, object value) + public static Func TryAssignOrganization(string path) { Func assign = path switch { @@ -2649,15 +4402,20 @@ public static bool TrySetOrganization(EcsDocument document, string path, object "OrganizationName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetOrganization(EcsDocument document, string path, object value) + { + var assign = TryAssignOrganization(path); if (assign == null) return false; - + var entity = document.Organization ?? new Organization(); var assigned = assign(entity, value); if (assigned) document.Organization = entity; return assigned; } - public static bool TrySetOs(EcsDocument document, string path, object value) + public static Func TryAssignOs(string path) { Func assign = path switch { @@ -2677,15 +4435,20 @@ public static bool TrySetOs(EcsDocument document, string path, object value) "OsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetOs(IOs document, string path, object value) + { + var assign = TryAssignOs(path); if (assign == null) return false; - + var entity = document.Os ?? new Os(); var assigned = assign(entity, value); if (assigned) document.Os = entity; return assigned; } - public static bool TrySetPackage(EcsDocument document, string path, object value) + public static Func TryAssignPackage(string path) { Func assign = path switch { @@ -2717,15 +4480,20 @@ public static bool TrySetPackage(EcsDocument document, string path, object value "PackageVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetPackage(EcsDocument document, string path, object value) + { + var assign = TryAssignPackage(path); if (assign == null) return false; - + var entity = document.Package ?? new Package(); var assigned = assign(entity, value); if (assigned) document.Package = entity; return assigned; } - public static bool TrySetPe(EcsDocument document, string path, object value) + public static Func TryAssignPe(string path) { Func assign = path switch { @@ -2763,15 +4531,20 @@ public static bool TrySetPe(EcsDocument document, string path, object value) "PeProduct" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Product = p), _ => null }; + return assign; + } + public static bool TrySetPe(IPe document, string path, object value) + { + var assign = TryAssignPe(path); if (assign == null) return false; - + var entity = document.Pe ?? new Pe(); var assigned = assign(entity, value); if (assigned) document.Pe = entity; return assigned; } - public static bool TrySetProcess(EcsDocument document, string path, object value) + public static Func TryAssignProcess(string path) { Func assign = path switch { @@ -2809,17 +4582,364 @@ public static bool TrySetProcess(EcsDocument document, string path, object value "ProcessVpid" => static (e, v) => TrySetLong(e, v, static (ee, p) => ee.Vpid = p), "process.working_directory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), "ProcessWorkingDirectory" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.WorkingDirectory = p), + "process.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "ProcessGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "process.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "ProcessGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "process.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "ProcessGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "process.real_group.domain" => static (e, v) => TryAssignGroup("real_group.domain")(e.RealGroup ??= new Group(),v), + "ProcessRealGroupDomain" => static (e, v) => TryAssignGroup("real_group.domain")(e.RealGroup ??= new Group(),v), + "process.real_group.id" => static (e, v) => TryAssignGroup("real_group.id")(e.RealGroup ??= new Group(),v), + "ProcessRealGroupId" => static (e, v) => TryAssignGroup("real_group.id")(e.RealGroup ??= new Group(),v), + "process.real_group.name" => static (e, v) => TryAssignGroup("real_group.name")(e.RealGroup ??= new Group(),v), + "ProcessRealGroupName" => static (e, v) => TryAssignGroup("real_group.name")(e.RealGroup ??= new Group(),v), + "process.saved_group.domain" => static (e, v) => TryAssignGroup("saved_group.domain")(e.SavedGroup ??= new Group(),v), + "ProcessSavedGroupDomain" => static (e, v) => TryAssignGroup("saved_group.domain")(e.SavedGroup ??= new Group(),v), + "process.saved_group.id" => static (e, v) => TryAssignGroup("saved_group.id")(e.SavedGroup ??= new Group(),v), + "ProcessSavedGroupId" => static (e, v) => TryAssignGroup("saved_group.id")(e.SavedGroup ??= new Group(),v), + "process.saved_group.name" => static (e, v) => TryAssignGroup("saved_group.name")(e.SavedGroup ??= new Group(),v), + "ProcessSavedGroupName" => static (e, v) => TryAssignGroup("saved_group.name")(e.SavedGroup ??= new Group(),v), + "process.hash.md5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "ProcessHashMd5" => static (e, v) => TryAssignHash("hash.md5")(e.Hash ??= new Hash(),v), + "process.hash.sha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "ProcessHashSha1" => static (e, v) => TryAssignHash("hash.sha1")(e.Hash ??= new Hash(),v), + "process.hash.sha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "ProcessHashSha256" => static (e, v) => TryAssignHash("hash.sha256")(e.Hash ??= new Hash(),v), + "process.hash.sha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "ProcessHashSha384" => static (e, v) => TryAssignHash("hash.sha384")(e.Hash ??= new Hash(),v), + "process.hash.sha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "ProcessHashSha512" => static (e, v) => TryAssignHash("hash.sha512")(e.Hash ??= new Hash(),v), + "process.hash.ssdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "ProcessHashSsdeep" => static (e, v) => TryAssignHash("hash.ssdeep")(e.Hash ??= new Hash(),v), + "process.hash.tlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "ProcessHashTlsh" => static (e, v) => TryAssignHash("hash.tlsh")(e.Hash ??= new Hash(),v), + "process.pe.architecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "ProcessPeArchitecture" => static (e, v) => TryAssignPe("pe.architecture")(e.Pe ??= new Pe(),v), + "process.pe.company" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "ProcessPeCompany" => static (e, v) => TryAssignPe("pe.company")(e.Pe ??= new Pe(),v), + "process.pe.description" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "ProcessPeDescription" => static (e, v) => TryAssignPe("pe.description")(e.Pe ??= new Pe(),v), + "process.pe.file_version" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "ProcessPeFileVersion" => static (e, v) => TryAssignPe("pe.file_version")(e.Pe ??= new Pe(),v), + "process.pe.go_import_hash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "ProcessPeGoImportHash" => static (e, v) => TryAssignPe("pe.go_import_hash")(e.Pe ??= new Pe(),v), + "process.pe.go_imports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "ProcessPeGoImports" => static (e, v) => TryAssignPe("pe.go_imports")(e.Pe ??= new Pe(),v), + "process.pe.go_imports_names_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeGoImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_entropy")(e.Pe ??= new Pe(),v), + "process.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeGoImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.go_imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "process.pe.go_stripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "ProcessPeGoStripped" => static (e, v) => TryAssignPe("pe.go_stripped")(e.Pe ??= new Pe(),v), + "process.pe.imphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "ProcessPeImphash" => static (e, v) => TryAssignPe("pe.imphash")(e.Pe ??= new Pe(),v), + "process.pe.import_hash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "ProcessPeImportHash" => static (e, v) => TryAssignPe("pe.import_hash")(e.Pe ??= new Pe(),v), + "process.pe.imports_names_entropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeImportsNamesEntropy" => static (e, v) => TryAssignPe("pe.imports_names_entropy")(e.Pe ??= new Pe(),v), + "process.pe.imports_names_var_entropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "ProcessPeImportsNamesVarEntropy" => static (e, v) => TryAssignPe("pe.imports_names_var_entropy")(e.Pe ??= new Pe(),v), + "process.pe.original_file_name" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "ProcessPeOriginalFileName" => static (e, v) => TryAssignPe("pe.original_file_name")(e.Pe ??= new Pe(),v), + "process.pe.pehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "ProcessPePehash" => static (e, v) => TryAssignPe("pe.pehash")(e.Pe ??= new Pe(),v), + "process.pe.product" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "ProcessPeProduct" => static (e, v) => TryAssignPe("pe.product")(e.Pe ??= new Pe(),v), + "process.code_signature.digest_algorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignCodeSignature("code_signature.digest_algorithm")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.exists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureExists" => static (e, v) => TryAssignCodeSignature("code_signature.exists")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.signing_id" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureSigningId" => static (e, v) => TryAssignCodeSignature("code_signature.signing_id")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.status" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureStatus" => static (e, v) => TryAssignCodeSignature("code_signature.status")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.subject_name" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureSubjectName" => static (e, v) => TryAssignCodeSignature("code_signature.subject_name")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.team_id" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureTeamId" => static (e, v) => TryAssignCodeSignature("code_signature.team_id")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.timestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureTimestamp" => static (e, v) => TryAssignCodeSignature("code_signature.timestamp")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.trusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureTrusted" => static (e, v) => TryAssignCodeSignature("code_signature.trusted")(e.CodeSignature ??= new CodeSignature(),v), + "process.code_signature.valid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "ProcessCodeSignatureValid" => static (e, v) => TryAssignCodeSignature("code_signature.valid")(e.CodeSignature ??= new CodeSignature(),v), + "process.elf.architecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "ProcessElfArchitecture" => static (e, v) => TryAssignElf("elf.architecture")(e.Elf ??= new Elf(),v), + "process.elf.byte_order" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "ProcessElfByteOrder" => static (e, v) => TryAssignElf("elf.byte_order")(e.Elf ??= new Elf(),v), + "process.elf.cpu_type" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "ProcessElfCpuType" => static (e, v) => TryAssignElf("elf.cpu_type")(e.Elf ??= new Elf(),v), + "process.elf.creation_date" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "ProcessElfCreationDate" => static (e, v) => TryAssignElf("elf.creation_date")(e.Elf ??= new Elf(),v), + "process.elf.go_import_hash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "ProcessElfGoImportHash" => static (e, v) => TryAssignElf("elf.go_import_hash")(e.Elf ??= new Elf(),v), + "process.elf.go_imports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "ProcessElfGoImports" => static (e, v) => TryAssignElf("elf.go_imports")(e.Elf ??= new Elf(),v), + "process.elf.go_imports_names_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfGoImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_entropy")(e.Elf ??= new Elf(),v), + "process.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.go_imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "process.elf.go_stripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "ProcessElfGoStripped" => static (e, v) => TryAssignElf("elf.go_stripped")(e.Elf ??= new Elf(),v), + "process.elf.header.abi_version" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderAbiVersion" => static (e, v) => TryAssignElf("elf.header.abi_version")(e.Elf ??= new Elf(),v), + "process.elf.header.class" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderClass" => static (e, v) => TryAssignElf("elf.header.class")(e.Elf ??= new Elf(),v), + "process.elf.header.data" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderData" => static (e, v) => TryAssignElf("elf.header.data")(e.Elf ??= new Elf(),v), + "process.elf.header.entrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderEntrypoint" => static (e, v) => TryAssignElf("elf.header.entrypoint")(e.Elf ??= new Elf(),v), + "process.elf.header.object_version" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderObjectVersion" => static (e, v) => TryAssignElf("elf.header.object_version")(e.Elf ??= new Elf(),v), + "process.elf.header.os_abi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderOsAbi" => static (e, v) => TryAssignElf("elf.header.os_abi")(e.Elf ??= new Elf(),v), + "process.elf.header.type" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderType" => static (e, v) => TryAssignElf("elf.header.type")(e.Elf ??= new Elf(),v), + "process.elf.header.version" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "ProcessElfHeaderVersion" => static (e, v) => TryAssignElf("elf.header.version")(e.Elf ??= new Elf(),v), + "process.elf.import_hash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "ProcessElfImportHash" => static (e, v) => TryAssignElf("elf.import_hash")(e.Elf ??= new Elf(),v), + "process.elf.imports_names_entropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfImportsNamesEntropy" => static (e, v) => TryAssignElf("elf.imports_names_entropy")(e.Elf ??= new Elf(),v), + "process.elf.imports_names_var_entropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "ProcessElfImportsNamesVarEntropy" => static (e, v) => TryAssignElf("elf.imports_names_var_entropy")(e.Elf ??= new Elf(),v), + "process.elf.telfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "ProcessElfTelfhash" => static (e, v) => TryAssignElf("elf.telfhash")(e.Elf ??= new Elf(),v), + "process.macho.go_import_hash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImportHash" => static (e, v) => TryAssignMacho("macho.go_import_hash")(e.Macho ??= new Macho(),v), + "process.macho.go_imports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImports" => static (e, v) => TryAssignMacho("macho.go_imports")(e.Macho ??= new Macho(),v), + "process.macho.go_imports_names_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_entropy")(e.Macho ??= new Macho(),v), + "process.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.go_imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "process.macho.go_stripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "ProcessMachoGoStripped" => static (e, v) => TryAssignMacho("macho.go_stripped")(e.Macho ??= new Macho(),v), + "process.macho.import_hash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "ProcessMachoImportHash" => static (e, v) => TryAssignMacho("macho.import_hash")(e.Macho ??= new Macho(),v), + "process.macho.imports_names_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoImportsNamesEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_entropy")(e.Macho ??= new Macho(),v), + "process.macho.imports_names_var_entropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "ProcessMachoImportsNamesVarEntropy" => static (e, v) => TryAssignMacho("macho.imports_names_var_entropy")(e.Macho ??= new Macho(),v), + "process.macho.symhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), + "ProcessMachoSymhash" => static (e, v) => TryAssignMacho("macho.symhash")(e.Macho ??= new Macho(),v), + "process.entry_meta.source.address" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceAddress" => static (e, v) => TryAssignSource("source.address")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.bytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceBytes" => static (e, v) => TryAssignSource("source.bytes")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.domain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceDomain" => static (e, v) => TryAssignSource("source.domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.ip" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceIp" => static (e, v) => TryAssignSource("source.ip")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.mac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceMac" => static (e, v) => TryAssignSource("source.mac")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.nat.ip" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceNatIp" => static (e, v) => TryAssignSource("source.nat.ip")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.nat.port" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceNatPort" => static (e, v) => TryAssignSource("source.nat.port")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.packets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourcePackets" => static (e, v) => TryAssignSource("source.packets")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.port" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourcePort" => static (e, v) => TryAssignSource("source.port")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.registered_domain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceRegisteredDomain" => static (e, v) => TryAssignSource("source.registered_domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.subdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceSubdomain" => static (e, v) => TryAssignSource("source.subdomain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.top_level_domain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceTopLevelDomain" => static (e, v) => TryAssignSource("source.top_level_domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.as.number" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceAsNumber" => static (e, v) => TryAssignSource("source.as.number")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.as.organization.name" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceAsOrganizationName" => static (e, v) => TryAssignSource("source.as.organization.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.city_name" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoCityName" => static (e, v) => TryAssignSource("source.geo.city_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.continent_code" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoContinentCode" => static (e, v) => TryAssignSource("source.geo.continent_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.continent_name" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoContinentName" => static (e, v) => TryAssignSource("source.geo.continent_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.country_iso_code" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoCountryIsoCode" => static (e, v) => TryAssignSource("source.geo.country_iso_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.country_name" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoCountryName" => static (e, v) => TryAssignSource("source.geo.country_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.location" => static (e, v) => TryAssignSource("source.geo.location")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoLocation" => static (e, v) => TryAssignSource("source.geo.location")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.name" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoName" => static (e, v) => TryAssignSource("source.geo.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.postal_code" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoPostalCode" => static (e, v) => TryAssignSource("source.geo.postal_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.region_iso_code" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoRegionIsoCode" => static (e, v) => TryAssignSource("source.geo.region_iso_code")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.region_name" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoRegionName" => static (e, v) => TryAssignSource("source.geo.region_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.geo.timezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceGeoTimezone" => static (e, v) => TryAssignSource("source.geo.timezone")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.domain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserDomain" => static (e, v) => TryAssignSource("source.user.domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.email" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserEmail" => static (e, v) => TryAssignSource("source.user.email")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.full_name" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserFullName" => static (e, v) => TryAssignSource("source.user.full_name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.hash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserHash" => static (e, v) => TryAssignSource("source.user.hash")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.id" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserId" => static (e, v) => TryAssignSource("source.user.id")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.name" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserName" => static (e, v) => TryAssignSource("source.user.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.group.domain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserGroupDomain" => static (e, v) => TryAssignSource("source.user.group.domain")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.group.id" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserGroupId" => static (e, v) => TryAssignSource("source.user.group.id")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.group.name" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserGroupName" => static (e, v) => TryAssignSource("source.user.group.name")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.calculated_level" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedLevel" => static (e, v) => TryAssignSource("source.user.risk.calculated_level")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.calculated_score" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedScore" => static (e, v) => TryAssignSource("source.user.risk.calculated_score")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.calculated_score_norm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.calculated_score_norm")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.static_level" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticLevel" => static (e, v) => TryAssignSource("source.user.risk.static_level")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.static_score" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticScore" => static (e, v) => TryAssignSource("source.user.risk.static_score")(e.EntryMetaSource ??= new Source(),v), + "process.entry_meta.source.user.risk.static_score_norm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ??= new Source(),v), + "ProcessEntryMetaSourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignSource("source.user.risk.static_score_norm")(e.EntryMetaSource ??= new Source(),v), + "process.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "ProcessUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "process.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "ProcessUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "process.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "ProcessUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "process.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "ProcessUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "process.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "ProcessUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "process.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "ProcessUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "process.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "ProcessUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "process.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "ProcessUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "process.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "ProcessUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "process.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "ProcessUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "process.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "ProcessUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "process.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "ProcessUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "process.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "ProcessUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "process.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "ProcessUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "process.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "ProcessUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "process.saved_user.domain" => static (e, v) => TryAssignUser("saved_user.domain")(e.SavedUser ??= new User(),v), + "ProcessSavedUserDomain" => static (e, v) => TryAssignUser("saved_user.domain")(e.SavedUser ??= new User(),v), + "process.saved_user.email" => static (e, v) => TryAssignUser("saved_user.email")(e.SavedUser ??= new User(),v), + "ProcessSavedUserEmail" => static (e, v) => TryAssignUser("saved_user.email")(e.SavedUser ??= new User(),v), + "process.saved_user.full_name" => static (e, v) => TryAssignUser("saved_user.full_name")(e.SavedUser ??= new User(),v), + "ProcessSavedUserFullName" => static (e, v) => TryAssignUser("saved_user.full_name")(e.SavedUser ??= new User(),v), + "process.saved_user.hash" => static (e, v) => TryAssignUser("saved_user.hash")(e.SavedUser ??= new User(),v), + "ProcessSavedUserHash" => static (e, v) => TryAssignUser("saved_user.hash")(e.SavedUser ??= new User(),v), + "process.saved_user.id" => static (e, v) => TryAssignUser("saved_user.id")(e.SavedUser ??= new User(),v), + "ProcessSavedUserId" => static (e, v) => TryAssignUser("saved_user.id")(e.SavedUser ??= new User(),v), + "process.saved_user.name" => static (e, v) => TryAssignUser("saved_user.name")(e.SavedUser ??= new User(),v), + "ProcessSavedUserName" => static (e, v) => TryAssignUser("saved_user.name")(e.SavedUser ??= new User(),v), + "process.saved_user.group.domain" => static (e, v) => TryAssignUser("saved_user.group.domain")(e.SavedUser ??= new User(),v), + "ProcessSavedUserGroupDomain" => static (e, v) => TryAssignUser("saved_user.group.domain")(e.SavedUser ??= new User(),v), + "process.saved_user.group.id" => static (e, v) => TryAssignUser("saved_user.group.id")(e.SavedUser ??= new User(),v), + "ProcessSavedUserGroupId" => static (e, v) => TryAssignUser("saved_user.group.id")(e.SavedUser ??= new User(),v), + "process.saved_user.group.name" => static (e, v) => TryAssignUser("saved_user.group.name")(e.SavedUser ??= new User(),v), + "ProcessSavedUserGroupName" => static (e, v) => TryAssignUser("saved_user.group.name")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.calculated_level" => static (e, v) => TryAssignUser("saved_user.risk.calculated_level")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("saved_user.risk.calculated_level")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.calculated_score" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskCalculatedScore" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score_norm")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("saved_user.risk.calculated_score_norm")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.static_level" => static (e, v) => TryAssignUser("saved_user.risk.static_level")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskStaticLevel" => static (e, v) => TryAssignUser("saved_user.risk.static_level")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.static_score" => static (e, v) => TryAssignUser("saved_user.risk.static_score")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskStaticScore" => static (e, v) => TryAssignUser("saved_user.risk.static_score")(e.SavedUser ??= new User(),v), + "process.saved_user.risk.static_score_norm" => static (e, v) => TryAssignUser("saved_user.risk.static_score_norm")(e.SavedUser ??= new User(),v), + "ProcessSavedUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("saved_user.risk.static_score_norm")(e.SavedUser ??= new User(),v), + "process.real_user.domain" => static (e, v) => TryAssignUser("real_user.domain")(e.RealUser ??= new User(),v), + "ProcessRealUserDomain" => static (e, v) => TryAssignUser("real_user.domain")(e.RealUser ??= new User(),v), + "process.real_user.email" => static (e, v) => TryAssignUser("real_user.email")(e.RealUser ??= new User(),v), + "ProcessRealUserEmail" => static (e, v) => TryAssignUser("real_user.email")(e.RealUser ??= new User(),v), + "process.real_user.full_name" => static (e, v) => TryAssignUser("real_user.full_name")(e.RealUser ??= new User(),v), + "ProcessRealUserFullName" => static (e, v) => TryAssignUser("real_user.full_name")(e.RealUser ??= new User(),v), + "process.real_user.hash" => static (e, v) => TryAssignUser("real_user.hash")(e.RealUser ??= new User(),v), + "ProcessRealUserHash" => static (e, v) => TryAssignUser("real_user.hash")(e.RealUser ??= new User(),v), + "process.real_user.id" => static (e, v) => TryAssignUser("real_user.id")(e.RealUser ??= new User(),v), + "ProcessRealUserId" => static (e, v) => TryAssignUser("real_user.id")(e.RealUser ??= new User(),v), + "process.real_user.name" => static (e, v) => TryAssignUser("real_user.name")(e.RealUser ??= new User(),v), + "ProcessRealUserName" => static (e, v) => TryAssignUser("real_user.name")(e.RealUser ??= new User(),v), + "process.real_user.group.domain" => static (e, v) => TryAssignUser("real_user.group.domain")(e.RealUser ??= new User(),v), + "ProcessRealUserGroupDomain" => static (e, v) => TryAssignUser("real_user.group.domain")(e.RealUser ??= new User(),v), + "process.real_user.group.id" => static (e, v) => TryAssignUser("real_user.group.id")(e.RealUser ??= new User(),v), + "ProcessRealUserGroupId" => static (e, v) => TryAssignUser("real_user.group.id")(e.RealUser ??= new User(),v), + "process.real_user.group.name" => static (e, v) => TryAssignUser("real_user.group.name")(e.RealUser ??= new User(),v), + "ProcessRealUserGroupName" => static (e, v) => TryAssignUser("real_user.group.name")(e.RealUser ??= new User(),v), + "process.real_user.risk.calculated_level" => static (e, v) => TryAssignUser("real_user.risk.calculated_level")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("real_user.risk.calculated_level")(e.RealUser ??= new User(),v), + "process.real_user.risk.calculated_score" => static (e, v) => TryAssignUser("real_user.risk.calculated_score")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskCalculatedScore" => static (e, v) => TryAssignUser("real_user.risk.calculated_score")(e.RealUser ??= new User(),v), + "process.real_user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("real_user.risk.calculated_score_norm")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("real_user.risk.calculated_score_norm")(e.RealUser ??= new User(),v), + "process.real_user.risk.static_level" => static (e, v) => TryAssignUser("real_user.risk.static_level")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskStaticLevel" => static (e, v) => TryAssignUser("real_user.risk.static_level")(e.RealUser ??= new User(),v), + "process.real_user.risk.static_score" => static (e, v) => TryAssignUser("real_user.risk.static_score")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskStaticScore" => static (e, v) => TryAssignUser("real_user.risk.static_score")(e.RealUser ??= new User(),v), + "process.real_user.risk.static_score_norm" => static (e, v) => TryAssignUser("real_user.risk.static_score_norm")(e.RealUser ??= new User(),v), + "ProcessRealUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("real_user.risk.static_score_norm")(e.RealUser ??= new User(),v), + "process.attested_user.domain" => static (e, v) => TryAssignUser("attested_user.domain")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserDomain" => static (e, v) => TryAssignUser("attested_user.domain")(e.AttestedUser ??= new User(),v), + "process.attested_user.email" => static (e, v) => TryAssignUser("attested_user.email")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserEmail" => static (e, v) => TryAssignUser("attested_user.email")(e.AttestedUser ??= new User(),v), + "process.attested_user.full_name" => static (e, v) => TryAssignUser("attested_user.full_name")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserFullName" => static (e, v) => TryAssignUser("attested_user.full_name")(e.AttestedUser ??= new User(),v), + "process.attested_user.hash" => static (e, v) => TryAssignUser("attested_user.hash")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserHash" => static (e, v) => TryAssignUser("attested_user.hash")(e.AttestedUser ??= new User(),v), + "process.attested_user.id" => static (e, v) => TryAssignUser("attested_user.id")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserId" => static (e, v) => TryAssignUser("attested_user.id")(e.AttestedUser ??= new User(),v), + "process.attested_user.name" => static (e, v) => TryAssignUser("attested_user.name")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserName" => static (e, v) => TryAssignUser("attested_user.name")(e.AttestedUser ??= new User(),v), + "process.attested_user.group.domain" => static (e, v) => TryAssignUser("attested_user.group.domain")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserGroupDomain" => static (e, v) => TryAssignUser("attested_user.group.domain")(e.AttestedUser ??= new User(),v), + "process.attested_user.group.id" => static (e, v) => TryAssignUser("attested_user.group.id")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserGroupId" => static (e, v) => TryAssignUser("attested_user.group.id")(e.AttestedUser ??= new User(),v), + "process.attested_user.group.name" => static (e, v) => TryAssignUser("attested_user.group.name")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserGroupName" => static (e, v) => TryAssignUser("attested_user.group.name")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.calculated_level" => static (e, v) => TryAssignUser("attested_user.risk.calculated_level")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("attested_user.risk.calculated_level")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.calculated_score" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskCalculatedScore" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score_norm")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("attested_user.risk.calculated_score_norm")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.static_level" => static (e, v) => TryAssignUser("attested_user.risk.static_level")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskStaticLevel" => static (e, v) => TryAssignUser("attested_user.risk.static_level")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.static_score" => static (e, v) => TryAssignUser("attested_user.risk.static_score")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskStaticScore" => static (e, v) => TryAssignUser("attested_user.risk.static_score")(e.AttestedUser ??= new User(),v), + "process.attested_user.risk.static_score_norm" => static (e, v) => TryAssignUser("attested_user.risk.static_score_norm")(e.AttestedUser ??= new User(),v), + "ProcessAttestedUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("attested_user.risk.static_score_norm")(e.AttestedUser ??= new User(),v), _ => null }; + return assign; + } + public static bool TrySetProcess(EcsDocument document, string path, object value) + { + var assign = TryAssignProcess(path); if (assign == null) return false; - + var entity = document.Process ?? new Process(); var assigned = assign(entity, value); if (assigned) document.Process = entity; return assigned; } - public static bool TrySetRegistry(EcsDocument document, string path, object value) + public static Func TryAssignRegistry(string path) { Func assign = path switch { @@ -2837,29 +4957,39 @@ public static bool TrySetRegistry(EcsDocument document, string path, object valu "RegistryValue" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Value = p), _ => null }; + return assign; + } + public static bool TrySetRegistry(EcsDocument document, string path, object value) + { + var assign = TryAssignRegistry(path); if (assign == null) return false; - + var entity = document.Registry ?? new Registry(); var assigned = assign(entity, value); if (assigned) document.Registry = entity; return assigned; } - public static bool TrySetRelated(EcsDocument document, string path, object value) + public static Func TryAssignRelated(string path) { Func assign = path switch { _ => null }; + return assign; + } + public static bool TrySetRelated(EcsDocument document, string path, object value) + { + var assign = TryAssignRelated(path); if (assign == null) return false; - + var entity = document.Related ?? new Related(); var assigned = assign(entity, value); if (assigned) document.Related = entity; return assigned; } - public static bool TrySetRisk(EcsDocument document, string path, object value) + public static Func TryAssignRisk(string path) { Func assign = path switch { @@ -2877,15 +5007,20 @@ public static bool TrySetRisk(EcsDocument document, string path, object value) "RiskStaticScoreNorm" => static (e, v) => TrySetFloat(e, v, static (ee, p) => ee.StaticScoreNorm = p), _ => null }; + return assign; + } + public static bool TrySetRisk(IRisk document, string path, object value) + { + var assign = TryAssignRisk(path); if (assign == null) return false; - + var entity = document.Risk ?? new Risk(); var assigned = assign(entity, value); if (assigned) document.Risk = entity; return assigned; } - public static bool TrySetRule(EcsDocument document, string path, object value) + public static Func TryAssignRule(string path) { Func assign = path switch { @@ -2909,15 +5044,20 @@ public static bool TrySetRule(EcsDocument document, string path, object value) "RuleVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetRule(EcsDocument document, string path, object value) + { + var assign = TryAssignRule(path); if (assign == null) return false; - + var entity = document.Rule ?? new Rule(); var assigned = assign(entity, value); if (assigned) document.Rule = entity; return assigned; } - public static bool TrySetServer(EcsDocument document, string path, object value) + public static Func TryAssignServer(string path) { Func assign = path switch { @@ -2945,17 +5085,78 @@ public static bool TrySetServer(EcsDocument document, string path, object value) "ServerSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "server.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "ServerTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "server.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "ServerAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "server.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "ServerAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "server.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "ServerGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "server.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "ServerGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "server.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "ServerGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "server.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "ServerGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "server.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "ServerGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "server.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "ServerGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "server.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "ServerGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "server.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "ServerGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "server.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "ServerGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "server.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "ServerGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "server.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "ServerGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "server.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "ServerUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "server.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "ServerUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "server.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "ServerUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "server.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "ServerUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "server.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "ServerUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "server.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "ServerUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "server.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "ServerUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "server.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "ServerUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "server.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "ServerUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "server.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "ServerUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "server.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "ServerUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "server.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "ServerUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "server.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "ServerUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "server.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "ServerUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "server.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "ServerUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; + return assign; + } + public static bool TrySetServer(EcsDocument document, string path, object value) + { + var assign = TryAssignServer(path); if (assign == null) return false; - + var entity = document.Server ?? new Server(); var assigned = assign(entity, value); if (assigned) document.Server = entity; return assigned; } - public static bool TrySetService(EcsDocument document, string path, object value) + public static Func TryAssignService(string path) { Func assign = path switch { @@ -2981,15 +5182,20 @@ public static bool TrySetService(EcsDocument document, string path, object value "ServiceVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), _ => null }; + return assign; + } + public static bool TrySetService(EcsDocument document, string path, object value) + { + var assign = TryAssignService(path); if (assign == null) return false; - + var entity = document.Service ?? new Service(); var assigned = assign(entity, value); if (assigned) document.Service = entity; return assigned; } - public static bool TrySetSource(EcsDocument document, string path, object value) + public static Func TryAssignSource(string path) { Func assign = path switch { @@ -3017,17 +5223,78 @@ public static bool TrySetSource(EcsDocument document, string path, object value) "SourceSubdomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Subdomain = p), "source.top_level_domain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), "SourceTopLevelDomain" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.TopLevelDomain = p), + "source.as.number" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "SourceAsNumber" => static (e, v) => TryAssignAs("as.number")(e.As ??= new As(),v), + "source.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "SourceAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.As ??= new As(),v), + "source.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "SourceGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.Geo ??= new Geo(),v), + "source.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "SourceGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.Geo ??= new Geo(),v), + "source.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "SourceGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.Geo ??= new Geo(),v), + "source.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "SourceGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.Geo ??= new Geo(),v), + "source.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "SourceGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.Geo ??= new Geo(),v), + "source.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "SourceGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.Geo ??= new Geo(),v), + "source.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "SourceGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.Geo ??= new Geo(),v), + "source.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "SourceGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.Geo ??= new Geo(),v), + "source.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "SourceGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.Geo ??= new Geo(),v), + "source.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "SourceGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.Geo ??= new Geo(),v), + "source.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "SourceGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.Geo ??= new Geo(),v), + "source.user.domain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "SourceUserDomain" => static (e, v) => TryAssignUser("user.domain")(e.User ??= new User(),v), + "source.user.email" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "SourceUserEmail" => static (e, v) => TryAssignUser("user.email")(e.User ??= new User(),v), + "source.user.full_name" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "SourceUserFullName" => static (e, v) => TryAssignUser("user.full_name")(e.User ??= new User(),v), + "source.user.hash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "SourceUserHash" => static (e, v) => TryAssignUser("user.hash")(e.User ??= new User(),v), + "source.user.id" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "SourceUserId" => static (e, v) => TryAssignUser("user.id")(e.User ??= new User(),v), + "source.user.name" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "SourceUserName" => static (e, v) => TryAssignUser("user.name")(e.User ??= new User(),v), + "source.user.group.domain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "SourceUserGroupDomain" => static (e, v) => TryAssignUser("user.group.domain")(e.User ??= new User(),v), + "source.user.group.id" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "SourceUserGroupId" => static (e, v) => TryAssignUser("user.group.id")(e.User ??= new User(),v), + "source.user.group.name" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "SourceUserGroupName" => static (e, v) => TryAssignUser("user.group.name")(e.User ??= new User(),v), + "source.user.risk.calculated_level" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "SourceUserRiskCalculatedLevel" => static (e, v) => TryAssignUser("user.risk.calculated_level")(e.User ??= new User(),v), + "source.user.risk.calculated_score" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "SourceUserRiskCalculatedScore" => static (e, v) => TryAssignUser("user.risk.calculated_score")(e.User ??= new User(),v), + "source.user.risk.calculated_score_norm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "SourceUserRiskCalculatedScoreNorm" => static (e, v) => TryAssignUser("user.risk.calculated_score_norm")(e.User ??= new User(),v), + "source.user.risk.static_level" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "SourceUserRiskStaticLevel" => static (e, v) => TryAssignUser("user.risk.static_level")(e.User ??= new User(),v), + "source.user.risk.static_score" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "SourceUserRiskStaticScore" => static (e, v) => TryAssignUser("user.risk.static_score")(e.User ??= new User(),v), + "source.user.risk.static_score_norm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), + "SourceUserRiskStaticScoreNorm" => static (e, v) => TryAssignUser("user.risk.static_score_norm")(e.User ??= new User(),v), _ => null }; + return assign; + } + public static bool TrySetSource(EcsDocument document, string path, object value) + { + var assign = TryAssignSource(path); if (assign == null) return false; - + var entity = document.Source ?? new Source(); var assigned = assign(entity, value); if (assigned) document.Source = entity; return assigned; } - public static bool TrySetThreat(EcsDocument document, string path, object value) + public static Func TryAssignThreat(string path) { Func assign = path switch { @@ -3087,17 +5354,298 @@ public static bool TrySetThreat(EcsDocument document, string path, object value) "ThreatSoftwareReference" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareReference = p), "threat.software.type" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), "ThreatSoftwareType" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.SoftwareType = p), + "threat.indicator.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ??= new X509(),v), + "ThreatIndicatorX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.IndicatorX509 ??= new X509(),v), + "threat.indicator.as.number" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ??= new As(),v), + "ThreatIndicatorAsNumber" => static (e, v) => TryAssignAs("as.number")(e.IndicatorAs ??= new As(),v), + "threat.indicator.as.organization.name" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ??= new As(),v), + "ThreatIndicatorAsOrganizationName" => static (e, v) => TryAssignAs("as.organization.name")(e.IndicatorAs ??= new As(),v), + "threat.indicator.file.accessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileAccessed" => static (e, v) => TryAssignFile("file.accessed")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.created" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCreated" => static (e, v) => TryAssignFile("file.created")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.ctime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCtime" => static (e, v) => TryAssignFile("file.ctime")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.device" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileDevice" => static (e, v) => TryAssignFile("file.device")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.directory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileDirectory" => static (e, v) => TryAssignFile("file.directory")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.drive_letter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileDriveLetter" => static (e, v) => TryAssignFile("file.drive_letter")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.extension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileExtension" => static (e, v) => TryAssignFile("file.extension")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.fork_name" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileForkName" => static (e, v) => TryAssignFile("file.fork_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.gid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileGid" => static (e, v) => TryAssignFile("file.gid")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.group" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileGroup" => static (e, v) => TryAssignFile("file.group")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.inode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileInode" => static (e, v) => TryAssignFile("file.inode")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.mime_type" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMimeType" => static (e, v) => TryAssignFile("file.mime_type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.mode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMode" => static (e, v) => TryAssignFile("file.mode")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.mtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMtime" => static (e, v) => TryAssignFile("file.mtime")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.name" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileName" => static (e, v) => TryAssignFile("file.name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.owner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileOwner" => static (e, v) => TryAssignFile("file.owner")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.path" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePath" => static (e, v) => TryAssignFile("file.path")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.size" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileSize" => static (e, v) => TryAssignFile("file.size")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.target_path" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileTargetPath" => static (e, v) => TryAssignFile("file.target_path")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.type" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileType" => static (e, v) => TryAssignFile("file.type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.uid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileUid" => static (e, v) => TryAssignFile("file.uid")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.md5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashMd5" => static (e, v) => TryAssignFile("file.hash.md5")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha1" => static (e, v) => TryAssignFile("file.hash.sha1")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha256" => static (e, v) => TryAssignFile("file.hash.sha256")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha384" => static (e, v) => TryAssignFile("file.hash.sha384")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.sha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSha512" => static (e, v) => TryAssignFile("file.hash.sha512")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.ssdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashSsdeep" => static (e, v) => TryAssignFile("file.hash.ssdeep")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.hash.tlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileHashTlsh" => static (e, v) => TryAssignFile("file.hash.tlsh")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.architecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeArchitecture" => static (e, v) => TryAssignFile("file.pe.architecture")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.company" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeCompany" => static (e, v) => TryAssignFile("file.pe.company")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.description" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeDescription" => static (e, v) => TryAssignFile("file.pe.description")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.file_version" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeFileVersion" => static (e, v) => TryAssignFile("file.pe.file_version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_import_hash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImportHash" => static (e, v) => TryAssignFile("file.pe.go_import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_imports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImports" => static (e, v) => TryAssignFile("file.pe.go_imports")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.go_stripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeGoStripped" => static (e, v) => TryAssignFile("file.pe.go_stripped")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.imphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImphash" => static (e, v) => TryAssignFile("file.pe.imphash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.import_hash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImportHash" => static (e, v) => TryAssignFile("file.pe.import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.imports_names_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImportsNamesEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.pe.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.original_file_name" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeOriginalFileName" => static (e, v) => TryAssignFile("file.pe.original_file_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.pehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePePehash" => static (e, v) => TryAssignFile("file.pe.pehash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.pe.product" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFilePeProduct" => static (e, v) => TryAssignFile("file.pe.product")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.issuer.distinguished_name" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509IssuerDistinguishedName" => static (e, v) => TryAssignFile("file.x509.issuer.distinguished_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.not_after" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509NotAfter" => static (e, v) => TryAssignFile("file.x509.not_after")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.not_before" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509NotBefore" => static (e, v) => TryAssignFile("file.x509.not_before")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_algorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeyAlgorithm" => static (e, v) => TryAssignFile("file.x509.public_key_algorithm")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_curve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeyCurve" => static (e, v) => TryAssignFile("file.x509.public_key_curve")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_exponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeyExponent" => static (e, v) => TryAssignFile("file.x509.public_key_exponent")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.public_key_size" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509PublicKeySize" => static (e, v) => TryAssignFile("file.x509.public_key_size")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.serial_number" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509SerialNumber" => static (e, v) => TryAssignFile("file.x509.serial_number")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.signature_algorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509SignatureAlgorithm" => static (e, v) => TryAssignFile("file.x509.signature_algorithm")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.subject.distinguished_name" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509SubjectDistinguishedName" => static (e, v) => TryAssignFile("file.x509.subject.distinguished_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.x509.version_number" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileX509VersionNumber" => static (e, v) => TryAssignFile("file.x509.version_number")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.digest_algorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureDigestAlgorithm" => static (e, v) => TryAssignFile("file.code_signature.digest_algorithm")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.exists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureExists" => static (e, v) => TryAssignFile("file.code_signature.exists")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.signing_id" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureSigningId" => static (e, v) => TryAssignFile("file.code_signature.signing_id")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.status" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureStatus" => static (e, v) => TryAssignFile("file.code_signature.status")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.subject_name" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureSubjectName" => static (e, v) => TryAssignFile("file.code_signature.subject_name")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.team_id" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureTeamId" => static (e, v) => TryAssignFile("file.code_signature.team_id")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.timestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureTimestamp" => static (e, v) => TryAssignFile("file.code_signature.timestamp")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.trusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureTrusted" => static (e, v) => TryAssignFile("file.code_signature.trusted")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.code_signature.valid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileCodeSignatureValid" => static (e, v) => TryAssignFile("file.code_signature.valid")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.architecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfArchitecture" => static (e, v) => TryAssignFile("file.elf.architecture")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.byte_order" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfByteOrder" => static (e, v) => TryAssignFile("file.elf.byte_order")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.cpu_type" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfCpuType" => static (e, v) => TryAssignFile("file.elf.cpu_type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.creation_date" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfCreationDate" => static (e, v) => TryAssignFile("file.elf.creation_date")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_import_hash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImportHash" => static (e, v) => TryAssignFile("file.elf.go_import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_imports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImports" => static (e, v) => TryAssignFile("file.elf.go_imports")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.go_stripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfGoStripped" => static (e, v) => TryAssignFile("file.elf.go_stripped")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.abi_version" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderAbiVersion" => static (e, v) => TryAssignFile("file.elf.header.abi_version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.class" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderClass" => static (e, v) => TryAssignFile("file.elf.header.class")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.data" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderData" => static (e, v) => TryAssignFile("file.elf.header.data")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.entrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderEntrypoint" => static (e, v) => TryAssignFile("file.elf.header.entrypoint")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.object_version" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderObjectVersion" => static (e, v) => TryAssignFile("file.elf.header.object_version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.os_abi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderOsAbi" => static (e, v) => TryAssignFile("file.elf.header.os_abi")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.type" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderType" => static (e, v) => TryAssignFile("file.elf.header.type")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.header.version" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfHeaderVersion" => static (e, v) => TryAssignFile("file.elf.header.version")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.import_hash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfImportHash" => static (e, v) => TryAssignFile("file.elf.import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.imports_names_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfImportsNamesEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.elf.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.elf.telfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileElfTelfhash" => static (e, v) => TryAssignFile("file.elf.telfhash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_import_hash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImportHash" => static (e, v) => TryAssignFile("file.macho.go_import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_imports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImports" => static (e, v) => TryAssignFile("file.macho.go_imports")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.go_imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.go_stripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoGoStripped" => static (e, v) => TryAssignFile("file.macho.go_stripped")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.import_hash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoImportHash" => static (e, v) => TryAssignFile("file.macho.import_hash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.imports_names_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoImportsNamesEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.imports_names_var_entropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoImportsNamesVarEntropy" => static (e, v) => TryAssignFile("file.macho.imports_names_var_entropy")(e.IndicatorFile ??= new File(),v), + "threat.indicator.file.macho.symhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ??= new File(),v), + "ThreatIndicatorFileMachoSymhash" => static (e, v) => TryAssignFile("file.macho.symhash")(e.IndicatorFile ??= new File(),v), + "threat.indicator.geo.city_name" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoCityName" => static (e, v) => TryAssignGeo("geo.city_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.continent_code" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoContinentCode" => static (e, v) => TryAssignGeo("geo.continent_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.continent_name" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoContinentName" => static (e, v) => TryAssignGeo("geo.continent_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.country_iso_code" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoCountryIsoCode" => static (e, v) => TryAssignGeo("geo.country_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.country_name" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoCountryName" => static (e, v) => TryAssignGeo("geo.country_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.location" => static (e, v) => TryAssignGeo("geo.location")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoLocation" => static (e, v) => TryAssignGeo("geo.location")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.name" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoName" => static (e, v) => TryAssignGeo("geo.name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.postal_code" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoPostalCode" => static (e, v) => TryAssignGeo("geo.postal_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.region_iso_code" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoRegionIsoCode" => static (e, v) => TryAssignGeo("geo.region_iso_code")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.region_name" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoRegionName" => static (e, v) => TryAssignGeo("geo.region_name")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.geo.timezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ??= new Geo(),v), + "ThreatIndicatorGeoTimezone" => static (e, v) => TryAssignGeo("geo.timezone")(e.IndicatorGeo ??= new Geo(),v), + "threat.indicator.registry.data.bytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryDataBytes" => static (e, v) => TryAssignRegistry("registry.data.bytes")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.data.type" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryDataType" => static (e, v) => TryAssignRegistry("registry.data.type")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.hive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryHive" => static (e, v) => TryAssignRegistry("registry.hive")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.key" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryKey" => static (e, v) => TryAssignRegistry("registry.key")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.path" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryPath" => static (e, v) => TryAssignRegistry("registry.path")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.registry.value" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ??= new Registry(),v), + "ThreatIndicatorRegistryValue" => static (e, v) => TryAssignRegistry("registry.value")(e.IndicatorRegistry ??= new Registry(),v), + "threat.indicator.url.domain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlDomain" => static (e, v) => TryAssignUrl("url.domain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.extension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlExtension" => static (e, v) => TryAssignUrl("url.extension")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.fragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlFragment" => static (e, v) => TryAssignUrl("url.fragment")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.full" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlFull" => static (e, v) => TryAssignUrl("url.full")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.original" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlOriginal" => static (e, v) => TryAssignUrl("url.original")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.password" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlPassword" => static (e, v) => TryAssignUrl("url.password")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.path" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlPath" => static (e, v) => TryAssignUrl("url.path")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.port" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlPort" => static (e, v) => TryAssignUrl("url.port")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.query" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlQuery" => static (e, v) => TryAssignUrl("url.query")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.registered_domain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlRegisteredDomain" => static (e, v) => TryAssignUrl("url.registered_domain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.scheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlScheme" => static (e, v) => TryAssignUrl("url.scheme")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.subdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlSubdomain" => static (e, v) => TryAssignUrl("url.subdomain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.top_level_domain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlTopLevelDomain" => static (e, v) => TryAssignUrl("url.top_level_domain")(e.IndicatorUrl ??= new Url(),v), + "threat.indicator.url.username" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ??= new Url(),v), + "ThreatIndicatorUrlUsername" => static (e, v) => TryAssignUrl("url.username")(e.IndicatorUrl ??= new Url(),v), _ => null }; + return assign; + } + public static bool TrySetThreat(EcsDocument document, string path, object value) + { + var assign = TryAssignThreat(path); if (assign == null) return false; - + var entity = document.Threat ?? new Threat(); var assigned = assign(entity, value); if (assigned) document.Threat = entity; return assigned; } - public static bool TrySetTls(EcsDocument document, string path, object value) + public static Func TryAssignTls(string path) { Func assign = path switch { @@ -3153,17 +5701,44 @@ public static bool TrySetTls(EcsDocument document, string path, object value) "TlsVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "tls.version_protocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), "TlsVersionProtocol" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionProtocol = p), + "tls.client.x509.issuer.distinguished_name" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ??= new X509(),v), + "TlsClientX509IssuerDistinguishedName" => static (e, v) => TryAssignX509("x509.issuer.distinguished_name")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.not_after" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ??= new X509(),v), + "TlsClientX509NotAfter" => static (e, v) => TryAssignX509("x509.not_after")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.not_before" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ??= new X509(),v), + "TlsClientX509NotBefore" => static (e, v) => TryAssignX509("x509.not_before")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_algorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeyAlgorithm" => static (e, v) => TryAssignX509("x509.public_key_algorithm")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_curve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeyCurve" => static (e, v) => TryAssignX509("x509.public_key_curve")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_exponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeyExponent" => static (e, v) => TryAssignX509("x509.public_key_exponent")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.public_key_size" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ??= new X509(),v), + "TlsClientX509PublicKeySize" => static (e, v) => TryAssignX509("x509.public_key_size")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.serial_number" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ??= new X509(),v), + "TlsClientX509SerialNumber" => static (e, v) => TryAssignX509("x509.serial_number")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.signature_algorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ??= new X509(),v), + "TlsClientX509SignatureAlgorithm" => static (e, v) => TryAssignX509("x509.signature_algorithm")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.subject.distinguished_name" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ??= new X509(),v), + "TlsClientX509SubjectDistinguishedName" => static (e, v) => TryAssignX509("x509.subject.distinguished_name")(e.ClientX509 ??= new X509(),v), + "tls.client.x509.version_number" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ??= new X509(),v), + "TlsClientX509VersionNumber" => static (e, v) => TryAssignX509("x509.version_number")(e.ClientX509 ??= new X509(),v), _ => null }; + return assign; + } + public static bool TrySetTls(EcsDocument document, string path, object value) + { + var assign = TryAssignTls(path); if (assign == null) return false; - + var entity = document.Tls ?? new Tls(); var assigned = assign(entity, value); if (assigned) document.Tls = entity; return assigned; } - public static bool TrySetUrl(EcsDocument document, string path, object value) + public static Func TryAssignUrl(string path) { Func assign = path switch { @@ -3197,15 +5772,20 @@ public static bool TrySetUrl(EcsDocument document, string path, object value) "UrlUsername" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Username = p), _ => null }; + return assign; + } + public static bool TrySetUrl(EcsDocument document, string path, object value) + { + var assign = TryAssignUrl(path); if (assign == null) return false; - + var entity = document.Url ?? new Url(); var assigned = assign(entity, value); if (assigned) document.Url = entity; return assigned; } - public static bool TrySetUser(EcsDocument document, string path, object value) + public static Func TryAssignUser(string path) { Func assign = path switch { @@ -3221,17 +5801,40 @@ public static bool TrySetUser(EcsDocument document, string path, object value) "UserId" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Id = p), "user.name" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), "UserName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), + "user.group.domain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "UserGroupDomain" => static (e, v) => TryAssignGroup("group.domain")(e.Group ??= new Group(),v), + "user.group.id" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "UserGroupId" => static (e, v) => TryAssignGroup("group.id")(e.Group ??= new Group(),v), + "user.group.name" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "UserGroupName" => static (e, v) => TryAssignGroup("group.name")(e.Group ??= new Group(),v), + "user.risk.calculated_level" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "UserRiskCalculatedLevel" => static (e, v) => TryAssignRisk("risk.calculated_level")(e.Risk ??= new Risk(),v), + "user.risk.calculated_score" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "UserRiskCalculatedScore" => static (e, v) => TryAssignRisk("risk.calculated_score")(e.Risk ??= new Risk(),v), + "user.risk.calculated_score_norm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "UserRiskCalculatedScoreNorm" => static (e, v) => TryAssignRisk("risk.calculated_score_norm")(e.Risk ??= new Risk(),v), + "user.risk.static_level" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "UserRiskStaticLevel" => static (e, v) => TryAssignRisk("risk.static_level")(e.Risk ??= new Risk(),v), + "user.risk.static_score" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "UserRiskStaticScore" => static (e, v) => TryAssignRisk("risk.static_score")(e.Risk ??= new Risk(),v), + "user.risk.static_score_norm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), + "UserRiskStaticScoreNorm" => static (e, v) => TryAssignRisk("risk.static_score_norm")(e.Risk ??= new Risk(),v), _ => null }; + return assign; + } + public static bool TrySetUser(IUser document, string path, object value) + { + var assign = TryAssignUser(path); if (assign == null) return false; - + var entity = document.User ?? new User(); var assigned = assign(entity, value); if (assigned) document.User = entity; return assigned; } - public static bool TrySetUserAgent(EcsDocument document, string path, object value) + public static Func TryAssignUserAgent(string path) { Func assign = path switch { @@ -3243,17 +5846,36 @@ public static bool TrySetUserAgent(EcsDocument document, string path, object val "UserAgentOriginal" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Original = p), "user_agent.version" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), "UserAgentVersion" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Version = p), + "user_agent.os.family" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "UserAgentOsFamily" => static (e, v) => TryAssignOs("os.family")(e.Os ??= new Os(),v), + "user_agent.os.full" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "UserAgentOsFull" => static (e, v) => TryAssignOs("os.full")(e.Os ??= new Os(),v), + "user_agent.os.kernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "UserAgentOsKernel" => static (e, v) => TryAssignOs("os.kernel")(e.Os ??= new Os(),v), + "user_agent.os.name" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "UserAgentOsName" => static (e, v) => TryAssignOs("os.name")(e.Os ??= new Os(),v), + "user_agent.os.platform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "UserAgentOsPlatform" => static (e, v) => TryAssignOs("os.platform")(e.Os ??= new Os(),v), + "user_agent.os.type" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "UserAgentOsType" => static (e, v) => TryAssignOs("os.type")(e.Os ??= new Os(),v), + "user_agent.os.version" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), + "UserAgentOsVersion" => static (e, v) => TryAssignOs("os.version")(e.Os ??= new Os(),v), _ => null }; + return assign; + } + public static bool TrySetUserAgent(EcsDocument document, string path, object value) + { + var assign = TryAssignUserAgent(path); if (assign == null) return false; - + var entity = document.UserAgent ?? new UserAgent(); var assigned = assign(entity, value); if (assigned) document.UserAgent = entity; return assigned; } - public static bool TrySetVlan(EcsDocument document, string path, object value) + public static Func TryAssignVlan(string path) { Func assign = path switch { @@ -3263,15 +5885,20 @@ public static bool TrySetVlan(EcsDocument document, string path, object value) "VlanName" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Name = p), _ => null }; + return assign; + } + public static bool TrySetVlan(IVlan document, string path, object value) + { + var assign = TryAssignVlan(path); if (assign == null) return false; - + var entity = document.Vlan ?? new Vlan(); var assigned = assign(entity, value); if (assigned) document.Vlan = entity; return assigned; } - public static bool TrySetVulnerability(EcsDocument document, string path, object value) + public static Func TryAssignVulnerability(string path) { Func assign = path switch { @@ -3301,15 +5928,20 @@ public static bool TrySetVulnerability(EcsDocument document, string path, object "VulnerabilitySeverity" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.Severity = p), _ => null }; + return assign; + } + public static bool TrySetVulnerability(EcsDocument document, string path, object value) + { + var assign = TryAssignVulnerability(path); if (assign == null) return false; - + var entity = document.Vulnerability ?? new Vulnerability(); var assigned = assign(entity, value); if (assigned) document.Vulnerability = entity; return assigned; } - public static bool TrySetX509(EcsDocument document, string path, object value) + public static Func TryAssignX509(string path) { Func assign = path switch { @@ -3337,8 +5969,13 @@ public static bool TrySetX509(EcsDocument document, string path, object value) "X509VersionNumber" => static (e, v) => TrySetString(e, v, static (ee, p) => ee.VersionNumber = p), _ => null }; + return assign; + } + public static bool TrySetX509(IX509 document, string path, object value) + { + var assign = TryAssignX509(path); if (assign == null) return false; - + var entity = document.X509 ?? new X509(); var assigned = assign(entity, value); if (assigned) document.X509 = entity; diff --git a/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs b/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs index b954e29c..dfce92a7 100644 --- a/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs +++ b/src/Elastic.CommonSchema/Serialization/EcsJsonContext.Generated.cs @@ -6,7 +6,7 @@ /* IMPORTANT NOTE ============== -This file has been generated. +This file has been generated. If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! */ @@ -66,4 +66,4 @@ namespace Elastic.CommonSchema.Serialization; [JsonSerializable(typeof(LogEntityJsonConverter.LogOriginInvalid))] [JsonSerializable(typeof(LogEntityJsonConverter.LogFileOriginInvalid))] [JsonSourceGenerationOptions(DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull)] -internal partial class EcsJsonContext : JsonSerializerContext { } +internal partial class EcsJsonContext : JsonSerializerContext { } \ No newline at end of file diff --git a/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs new file mode 100644 index 00000000..08270f47 --- /dev/null +++ b/tests/Elastic.CommonSchema.Serilog.Tests/Repro/GithubIssue402.cs @@ -0,0 +1,81 @@ +using System; +using System.Linq; +using FluentAssertions; +using Serilog.Context; +using Xunit; +using Xunit.Abstractions; + +namespace Elastic.CommonSchema.Serilog.Tests.Repro; + +public class GithubIssue402 : LogTestsBase +{ + public GithubIssue402(ITestOutputHelper output) : base(output) { } + + private void Setup(string key, T value, Action assert) => TestLogger((logger, getLogEvents) => + { + LogTemplateProperties.All.Should().Contain(key); + using (LogContext.PushProperty(key, value)) + logger.Information("Logging something with log context"); + + var logEvents = getLogEvents(); + logEvents.Should().HaveCount(1); + + var ecsEvents = ToEcsEvents(logEvents); + + var (_, info) = ecsEvents.First(); + info.Message.Should().Be("Logging something with log context"); + assert(info, value); + + //info.Labels.Should().NotBeNull().And.ContainKey("client.user.id"); + //info.Labels["ShipmentId"].Should().Be("my-shipment-id"); + + //info.Metadata.Should().NotBeNull().And.ContainKey("ShipmentAmount"); + //info.Metadata["ShipmentAmount"].Should().Be(2.3); + }); + + [Fact] + public void CanAssignNestedAs() => Setup("client.as.number", 1, (info, v) => + { + info.Client.Should().NotBeNull(); + info.Client!.As.Should().NotBeNull(); + info.Client!.As!.Number.Should().Be(v); + }); + + [Fact] + public void CanAssignNestedNatIp() => Setup("client.nat.ip", "ip", (info, v) => + { + info.Client.Should().NotBeNull(); + info.Client!.NatIp.Should().Be(v); + }); + + [Fact] + public void CanAssignDeeplyNestedThreatX509() => Setup("threat.indicator.x509.serial_number", "123", (info, v) => + { + info.Threat.Should().NotBeNull(); + info.Threat!.IndicatorX509.Should().NotBeNull(); + info.Threat!.IndicatorX509!.SerialNumber.Should().Be(v); + //info.Threat.IndicatorFile.Pe.Company + }); + [Fact] + public void CanAssignMultipleEntitiesDeep() => Setup("threat.indicator.file.pe.company", "comp", (info, v) => + { + info.Threat.Should().NotBeNull(); + info.Threat!.IndicatorFile.Should().NotBeNull(); + info.Threat!.IndicatorFile!.Pe.Should().NotBeNull(); + info.Threat.IndicatorFile!.Pe!.Company.Should().Be(v); + }); + + [Fact] + public void CanAssignThreatIndicatorAs() => Setup("threat.indicator.as.number", 123, (info, v) => + { + info.Threat.Should().NotBeNull(); + info.Threat!.IndicatorAs.Should().NotBeNull(); + info.Threat!.IndicatorAs!.Number.Should().Be(v); + }); + + [Fact(Skip = "self referential process parent not (yet) supported")] + public void CanAssignProcesssParent() => Setup("process.parent.executable", "bin", (info, v) => + { + info.Process.Should().NotBeNull(); + }); +} diff --git a/tools/Elastic.CommonSchema.Generator/FileGenerator.cs b/tools/Elastic.CommonSchema.Generator/FileGenerator.cs index 26339576..b82e0460 100644 --- a/tools/Elastic.CommonSchema.Generator/FileGenerator.cs +++ b/tools/Elastic.CommonSchema.Generator/FileGenerator.cs @@ -36,6 +36,7 @@ public static void Generate(CommonSchemaTypesProjection commonSchemaTypesProject { m => Generate(m, "Entities"), "Entities" }, { m => Generate(m, "Entities.ShouldSerialize"), "Generate ShouldSerialize special handling for Log and ECS" }, { m => Generate(m, "InlineObjects"), "Inline Objects" }, + { m => Generate(m, "AssignableInterfaces"), "Assignable Interfaces" }, { m => Generate(m, "IndexTemplates"), "Elasticsearch index templates" }, { m => Generate(m, "IndexComponents"), "Elasticsearch index components" }, }; diff --git a/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs b/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs index 0bf84998..9590c20e 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/ProjectionTypeExtensions.cs @@ -37,6 +37,7 @@ public static string GetCastFromObject(this Field field) case FieldType.Wildcard: case FieldType.Text: case FieldType.Ip: + case FieldType.GeoPoint: return "TrySetString"; case FieldType.Boolean: return "TrySetBool"; diff --git a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs index 684b253c..0c4e412b 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/PropertyReference.cs @@ -1,30 +1,28 @@ +using System; using System.Linq; using System.Text.RegularExpressions; using Elastic.CommonSchema.Generator.Schema.DTO; namespace Elastic.CommonSchema.Generator.Projection { - public abstract class PropertyReference + public abstract class PropertyReference(Field field, string localPath, string fullPath) { - protected PropertyReference(string localPath, string fullPath) - { - LocalPath = localPath; - FullPath = fullPath; - } - + protected string LocalPath { get; } = localPath; + public string FullPath { get; } = fullPath; + public string LogTemplateAlternative => FullPath.PascalCase(); public string JsonProperty => FullPath.GetLocalProperty(LocalPath); public string Name => JsonProperty.PascalCase(); + public virtual bool IsArray { get; } = field?.Normalize.Contains("array") ?? false; + public virtual string Description { get; } = GetFieldDescription(field); + public virtual string Example { get; } = NormalizeDescription(field?.Example?.ToString() ?? string.Empty); + public virtual string ClrType { get; } = field?.GetClrType(); - public string LocalPath { get; } - public string FullPath { get; } - public string LogTemplateAlternative => FullPath.PascalCase(); - - public abstract string Description { get; } - public abstract string Example { get; } + public virtual bool IsAssignable => !IsArray && !string.IsNullOrWhiteSpace(ClrType); protected static string NormalizeDescription(string description) { + if (description == null) return string.Empty; var multiLineDescription = Regex.Replace(description, @"\n", "\r\n /// "); multiLineDescription = multiLineDescription.Replace("<", "<").Replace(">", ">"); multiLineDescription = multiLineDescription.Replace("ATT&CK", "ATT&CK"); @@ -38,8 +36,9 @@ protected static string NormalizeDescription(string description) /// /// /// - protected static string GetFieldDescription(Field field) + private static string GetFieldDescription(Field field) { + if (field == null) return string.Empty; var multiLineDescription = NormalizeDescription(field.Description); var description = $@"{multiLineDescription}"; @@ -74,60 +73,91 @@ protected static string GetFieldDescription(Field field) } return description; } + } - public class ValueTypePropertyReference : PropertyReference + public class NestedValueTypePropertyReference : ValueTypePropertyReference { - public ValueTypePropertyReference(string parentPath, string fullPath, Field field) : base(parentPath, fullPath) + internal NestedValueTypePropertyReference(Field field, string parentPath, string fullPath, EntityPropertyReference property) + : base(field, parentPath, fullPath) { - ClrType = field.GetClrType(); - ReadJsonType = ClrType.PascalCase(); - CastFromObject = field.GetCastFromObject(); - Description = GetFieldDescription(field); - Example = NormalizeDescription(field.Example?.ToString() ?? string.Empty); + Entity = property.Entity; + ContainerPath = property.Name; + ContainerPathEntity = property.Entity.Name; + } + public EntityClass Entity { get; } - public string CastFromObject { get; } - public string ReadJsonType { get; } - public string ClrType { get; } - public override string Description { get; } - public override string Example { get; } + public string ContainerPath { get; } + public string ContainerPathEntity { get; } } - public class InlineObjectPropertyReference : PropertyReference + public class ValueTypePropertyReference + : PropertyReference { - public InlineObjectPropertyReference(string parentPath, string fullPath, InlineObject inlineObject, Field field) : base(parentPath, fullPath) + public ValueTypePropertyReference(Field field, string parentPath, string fullPath) : base(field, parentPath, fullPath) { - InlineObject = inlineObject; Field = field; - Description = GetFieldDescription(field); - Example = NormalizeDescription(field.Example?.ToString() ?? string.Empty); + ReadJsonType = field.GetClrType().PascalCase(); + } + + public ValueTypePropertyReference(ValueTypePropertyReference self, string localPath, string fullPath) + : base(self.Field, localPath, fullPath) + { + Field = self.Field; + ReadJsonType = self.ReadJsonType; + SelfReferential = true; + } - public InlineObject InlineObject { get; } public Field Field { get; } + public string ReadJsonType { get; } + public bool SelfReferential { get; } - public string ClrType => Field.Normalize.Contains("array") ? $"{InlineObject.Name}[]" : $"{InlineObject.Name}"; - public override string Description { get; } - public override string Example { get; } + public override bool IsAssignable => base.IsAssignable && !SelfReferential; + + // creates deeply nested entity value type property references with updated paths + public ValueTypePropertyReference CreateSettableTypePropertyReference(EntityPropertyReference property) + { + var propertyKey = property.FullPath.Split('.').First(); + var pre = string.Join('.', property.FullPath.Split('.')[1..]); + var post = string.Join('.', FullPath.Split('.')[1..]); + var entityKey = string.Join('.', property.FullPath.Split('.')[..^1]); + var fullPath = $"{propertyKey}.{pre}.{post}"; + + return new NestedValueTypePropertyReference(Field, entityKey, fullPath, property); + } + } + + public class InlineObjectPropertyReference(Field field, string parentPath, string fullPath, InlineObject inlineObject) + : PropertyReference(field, parentPath, fullPath) + { + public InlineObject InlineObject { get; } = inlineObject; + public Field Field { get; } = field; + + public override string ClrType => IsArray ? $"{InlineObject.Name}[]" : $"{InlineObject.Name}"; } public class EntityPropertyReference : PropertyReference { - public EntityPropertyReference(string parentPath, string fullPath, EntityClass entity, string description, bool isArray) : base(parentPath, fullPath) + public EntityPropertyReference(string parentPath, string fullPath, EntityClass entity, string description, bool isArray) + : base(null, parentPath, fullPath) { var multiLineDescription = NormalizeDescription(description); Entity = entity; Description = multiLineDescription; Example = ""; ClrType = Entity.Name; - if (isArray) ClrType += "[]"; - + IsArray = isArray; + if (isArray) ClrType = $"{Entity.Name}[]"; } public EntityClass Entity { get; } - public string ClrType { get; } + public override bool IsAssignable => base.IsAssignable && Entity is not SelfReferentialReusedEntityClass; + + public override string ClrType { get; } + public override bool IsArray { get; } public override string Description { get; } public override string Example { get; } } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs index b59ad8ef..ca17680b 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/TypeProjector.cs @@ -1,8 +1,12 @@ +using System; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Linq; +using CsQuery.Engine.PseudoClassSelectors; using Elastic.CommonSchema.Generator.Schema; using Elastic.CommonSchema.Generator.Schema.DTO; +using Microsoft.CodeAnalysis; +using YamlDotNet.Core.Tokens; namespace Elastic.CommonSchema.Generator.Projection { @@ -25,6 +29,10 @@ public class CommonSchemaTypesProjection public ReadOnlyCollection Warnings { get; set; } public IReadOnlyCollection IndexTemplates { get; set; } public IReadOnlyCollection IndexComponents { get; set; } + + public List AssignableInterfaces { get; set; } + + public List AssignablePropDispatches { get; set; } // ReSharper restore PropertyCanBeMadeInitOnly.Global } @@ -97,12 +105,39 @@ public CommonSchemaTypesProjection CreateProjection() var nestedEntityTypes = CreateEntityTypes(); + var entities = EntityClasses.Values; + var assignables = entities + .Concat(nestedEntityTypes.Values) + .Where(e => e.EntityReferences.Count > 0) + .SelectMany(e => e.EntityReferences.Select(r => (EntityClass: e, EntityPropertyReference: r)).ToList()) + .Select(r => + { + var prop = r.EntityPropertyReference; + var sharedKey = prop.Key.Split('.') switch + { + [.. { Length: > 1 } ] a => string.Join('.', a[1..]).PascalCase(), + _ => prop.Key.PascalCase() + }; + if (r.EntityPropertyReference.Value.Entity is SelfReferentialReusedEntityClass s) + sharedKey = s.Name; + return (Key: sharedKey, r.EntityClass, r.EntityPropertyReference); + }) + .GroupBy(e => e.Key) + .SelectMany(g => + g.Select(r => r.EntityPropertyReference.Value).DistinctBy(r=>r.ClrType) + .Select(r => new AssignableEntityInterface(g.Key, r, g.Select(r=>r.EntityClass).ToList())) + ) + //.DistinctBy(g=>g.Name) + .ToList(); + foreach (var entity in entities) + entity.AssignableInterfaces = assignables.Where(a => a.Entities.Contains(entity)).DistinctBy(a=>a.Name).ToList(); + Projection = new CommonSchemaTypesProjection { Version = Schema.Version, GitRef = Schema.GitRef, FieldSets = FieldSetsBaseClasses.Values.Where(e=>e.FieldSet.Root != true || e.FieldSet.Name == "base" ).ToList(), - EntityClasses = EntityClasses.Values.Where(e=>e.Name != "EcsDocument" && e.BaseFieldSet.FieldSet.Root != true).ToList(), + EntityClasses = EntityClasses.Values.Where(e => e.Name != "EcsDocument" && e.BaseFieldSet.FieldSet.Root != true).ToList(), EntitiesWithPropertiesAtRoot = new Dictionary { { EntityClasses.Values.First(e=>e.Name == "Log"), new []{"level"}}, @@ -112,10 +147,27 @@ public CommonSchemaTypesProjection CreateProjection() InlineObjects = InlineObjects.Values.ToList(), NestedEntityClasses = nestedEntityTypes.Values.ToList(), Warnings = Warnings.AsReadOnly(), - IndexTemplates = Schema.Templates.Select(kv=>new IndexTemplate(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), - IndexComponents = Schema.Components.Select(kv=>new IndexComponent(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), - + IndexTemplates = Schema.Templates.Select(kv => new IndexTemplate(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), + IndexComponents = Schema.Components.Select(kv => new IndexComponent(kv.Key, kv.Value, Schema.Version)).OrderBy(t=>t.Name).ToList(), + AssignableInterfaces = assignables }; + + var assignableToEcsDocument = Projection.EntityClasses.Select(e=> assignables.FirstOrDefault(a=>a.Property.Entity == e && a.Property.Name == e.Name)).Where(a => a != null).ToList(); + Projection.Base.AssignableInterfaces = assignableToEcsDocument; + + var allEntities = Projection.EntityClasses.Concat(Projection.NestedEntityClasses).ToDictionary(kv=>kv.Name); + var assignable = Projection.AssignableInterfaces.ToDictionary(e => e.Name.Substring(1, e.Name.Length - 1)); + var propDispatches = new List(); + foreach (var (name, entity) in allEntities) + { + var found = assignable.TryGetValue(name, out var a); + if (found && a.Property.IsArray) + continue; + if (entity is SelfReferentialReusedEntityClass) + continue; + propDispatches.Add(new PropDispatch(entity, a)); + } + Projection.AssignablePropDispatches = propDispatches; return Projection; } @@ -177,7 +229,7 @@ private Dictionary CreateEntityTypes() var nestedPath = parentPaths.FirstOrDefault(p => nestedEntityClasses.ContainsKey(p)); var entityPath = parentPaths.FirstOrDefault(p => EntityClasses.ContainsKey(p)); var description = entity is SelfReferentialReusedEntityClass s ? s.ReuseDescription : entity.BaseFieldSet.FieldSet.Description; - var isArray = entity is SelfReferentialReusedEntityClass ss && ss.IsArray; + var isArray = entity is SelfReferentialReusedEntityClass { IsArray: true }; if (!string.IsNullOrEmpty(nestedPath)) { var nestedEntityClassRef = new EntityPropertyReference(nestedPath, fullName, entity, description, isArray); @@ -226,10 +278,10 @@ private void ExtractValueTypesAndInlineObjectDefinitions() currentPropertyReferences[fullPath] = currentPropertyReferences.TryGetValue(fullPath, out var p) ? p - : new InlineObjectPropertyReference(parentPath, fullPath, InlineObjects[fullPath], field); + : new InlineObjectPropertyReference(field, parentPath, fullPath, InlineObjects[fullPath]); } else - currentPropertyReferences[fullPath] = new ValueTypePropertyReference(parentPath, fullPath, field); + currentPropertyReferences[fullPath] = new ValueTypePropertyReference(field, parentPath, fullPath); } else { @@ -255,13 +307,13 @@ private void ExtractValueTypesAndInlineObjectDefinitions() currentPropertyReferences[path] = currentPropertyReferences.TryGetValue(path, out var p) ? p - : new InlineObjectPropertyReference(parentPath, path, InlineObjects[path], field); + : new InlineObjectPropertyReference(field, parentPath, path, InlineObjects[path]); currentPropertyReferences = InlineObjects[path].Properties; parentPath = path; foundInlineObjectPath = true; } if (!foundInlineObjectPath) parentPath = name; - currentPropertyReferences[fullPath] = new ValueTypePropertyReference(parentPath, fullPath, field); + currentPropertyReferences[fullPath] = new ValueTypePropertyReference(field, parentPath, fullPath); } } } diff --git a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs index a9dffafe..f3a1a2e5 100644 --- a/tools/Elastic.CommonSchema.Generator/Projection/Types.cs +++ b/tools/Elastic.CommonSchema.Generator/Projection/Types.cs @@ -1,38 +1,30 @@ +using System; using System.Collections.Generic; using System.Linq; +using System.Text.RegularExpressions; using Elastic.CommonSchema.Generator.Schema.DTO; namespace Elastic.CommonSchema.Generator.Projection { - public class FieldSetBaseClass + public class FieldSetBaseClass(FieldSet fieldSet) { - public FieldSetBaseClass(FieldSet fieldSet) => FieldSet = fieldSet; - - public FieldSet FieldSet { get; } + public FieldSet FieldSet { get; } = fieldSet; public string Name => $"{FieldSet.Name.PascalCase()}FieldSet"; public Dictionary Properties { get; } = new(); - public IEnumerable SettableProperties => - ValueProperties.Where(p => !string.IsNullOrEmpty(p.CastFromObject)); - public IEnumerable ValueProperties => Properties.Values.OfType(); public IEnumerable InlineObjectProperties => Properties.Values.OfType(); + } - public class InlineObject + public class InlineObject(string name, Field field) { - public string Name { get; } - public Field Field { get; } - - public InlineObject(string name, Field field) - { - Name = name.PascalCase(); - Field = field; - } + public string Name { get; } = name.PascalCase(); + public Field Field { get; } = field; public Dictionary Properties { get; } = new(); @@ -41,25 +33,38 @@ public InlineObject(string name, Field field) public IEnumerable ValueProperties => Properties.Values.OfType(); - public IEnumerable InlineObjectProperties => - Properties.Values.OfType(); - public IEnumerable EntityProperties => EntityReferences.Values; public bool IsDictionary => ValueProperties.Count() + EntityProperties.Count() == 0; } - public class SelfReferentialReusedEntityClass : EntityClass + public class SelfReferentialReusedEntityClass + : EntityClass { public SelfReferentialReusedEntityClass(string name, FieldSetBaseClass baseFieldSet, string reuseDescription, bool isArray) : base(name, baseFieldSet) { ReuseDescription = reuseDescription; IsArray = isArray; + + Find = baseFieldSet.FieldSet.Name; + Replace = name; } + public string Replace { get; set; } + public string Find { get; set; } public string ReuseDescription { get; } public bool IsArray { get; } + + protected override IEnumerable OwnProperties => + BaseFieldSet.ValueProperties.Where(p => p.IsAssignable) + .Select(v=> + { + var localPath = Replace; + var fullPath = Regex.Replace(v.FullPath, $@"^{Find}\.", $"{Replace}."); + + return new ValueTypePropertyReference(v, localPath, fullPath); + }); } @@ -67,11 +72,13 @@ public class EntityClass { public EntityClass(string name, FieldSetBaseClass baseFieldSet) { + OriginalName = name; Name = name.PascalCase(); if (Name == "Base") Name = "EcsDocument"; BaseFieldSet = baseFieldSet; } + internal string OriginalName { get; } public string Name { get; } public FieldSetBaseClass BaseFieldSet { get; } public bool Partial => Name is "EcsDocument" or "Log" or "Ecs"; @@ -79,7 +86,116 @@ public EntityClass(string name, FieldSetBaseClass baseFieldSet) public Dictionary EntityReferences { get; } = new(); public IEnumerable EntityProperties => EntityReferences.Values; + + protected virtual IEnumerable OwnProperties => + BaseFieldSet.ValueProperties.Where(p => p.IsAssignable); + + public IEnumerable SettableProperties + { + get + { + if (Name is "EcsDocument") + return OwnProperties; + return OwnProperties + .Concat(EntityProperties + .Where(p => p.IsAssignable) + .SelectMany(e => e.Entity.SettableProperties + .Select(s => s.CreateSettableTypePropertyReference(e)) + ) + ) + .DistinctBy(e => e.Name); + } + } + + public IList DispatchProperties => SettableProperties.Select(s=> new DispatchProperty(s)).ToList(); + + + //provided later + public List AssignableInterfaces { get; set; } = new(); + + public string AssignableInterfacesAsString + { + get + { + if (!AssignableInterfaces.Any()) return string.Empty; + return $", {string.Join(", ", AssignableInterfaces.Select(i => i.Name))}"; + } + } + } + + /// + /// Represents an interface for entities that can set a particular nested property. + /// E.g. both EcsDocument and Client have an `As` property of type `As`. + /// + public class AssignableEntityInterface(string name, EntityPropertyReference property, List entities) + { + public EntityPropertyReference Property { get; } = property; + public List Entities { get; } = entities; + public string Name { get; } = $"I{name}"; + } + + + public class DispatchProperty + { + public bool IsEntityDispatch { get; } + public string FullPath { get; } + public string LogTemplateAlternative { get; } + public string CastFromObject { get; } + public string ContainerPath { get; } = string.Empty; + public string ContainerPathEntity { get; } = string.Empty; + + public string Name { get; } + public string JsonProperty { get; } + public bool SelfReferential { get; } + + public DispatchProperty(PropertyReference property) + { + JsonProperty = property.JsonProperty; + FullPath = property.FullPath; + LogTemplateAlternative = property.LogTemplateAlternative; + Name = property.Name; + switch (property) + { + case NestedValueTypePropertyReference nested: + IsEntityDispatch = true; + CastFromObject = $"TryAssign{nested.Entity.Name}"; + ContainerPath = nested.ContainerPath; + ContainerPathEntity = nested.ContainerPathEntity; + SelfReferential = nested.SelfReferential; + break; + case ValueTypePropertyReference value: + CastFromObject = value.Field.GetCastFromObject(); + SelfReferential = value.SelfReferential; + break; + } + } } + public class PropDispatch + { + public string Name { get; } + public string FuncTarget { get; } + public string AssignTarget { get; } + public EntityClass Entity { get; } + public string AssignParameter { get; } + public string AssignEntity { get; set; } + public List AssignableProperties { get; set; } + + public PropDispatch(EntityClass entity, AssignableEntityInterface assignable) + { + Name = entity.Name; + FuncTarget = entity.Name; + AssignEntity = entity.Name; + Entity = entity; + AssignTarget = entity.Name; + AssignableProperties = Entity.SettableProperties.Select(e => new DispatchProperty(e)).ToList(); + AssignParameter = "EcsDocument"; + if (assignable is not null) + { + AssignParameter = $"I{Name}"; + AssignTarget = assignable.Property.Name; + } + } + } } diff --git a/tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml new file mode 100644 index 00000000..56c660f6 --- /dev/null +++ b/tools/Elastic.CommonSchema.Generator/Views/AssignableInterfaces.Generated.cshtml @@ -0,0 +1,41 @@ +@* ReSharper disable once RedundantUsingDirective *@ +@using System +@using System.Linq +@inherits Elastic.CommonSchema.Generator.Views.CodeTemplatePage +// Licensed to Elasticsearch B.V under one or more agreements. +// Elasticsearch B.V licenses this file to you under the Apache 2.0 License. +// See the LICENSE file in the project root for more information + +/* +IMPORTANT NOTE +============== +This file has been generated. +If you wish to submit a PR please modify the original csharp file and submit the PR with that change. Thanks! +*/ + +// ReSharper disable RedundantUsingDirective +using System; +using System.Collections.Generic; +using System.Threading; +using System.Threading.Tasks; +using System.Linq; +using System.Net; +using System.Runtime.Serialization; +using System.Text.Json.Serialization; + +#nullable enable +namespace Elastic.CommonSchema +{ +@foreach (var inlineObject in Model.AssignableInterfaces) +{ + var prop = inlineObject.Property; + var implementations = string.Join(", ", inlineObject.Entities.Select(e=>e.Name)); + + /// Interface for entities that can assign an @(inlineObject.Name): @(implementations) + public interface @inlineObject.Name { + ///@prop.JsonProperty + public @prop.ClrType? @prop.Name { get; set; } + } + +} +} diff --git a/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml index 38ce99cf..4cf6c5bc 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/EcsDocument.Generated.cshtml @@ -27,7 +27,7 @@ using Elastic.CommonSchema.Serialization; namespace Elastic.CommonSchema { /// - public partial class @Model.Base.Name : @Model.Base.BaseFieldSet.Name + public partial class @Model.Base.Name : @Model.Base.BaseFieldSet.Name @Model.Base.AssignableInterfacesAsString { /// diff --git a/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml index 4643e6a5..88363fad 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/EcsJsonContext.Generated.cshtml @@ -27,5 +27,7 @@ namespace Elastic.CommonSchema.Serialization; [JsonSerializable(typeof(@entity.Name))] } +[JsonSerializable(typeof(LogEntityJsonConverter.LogOriginInvalid))] +[JsonSerializable(typeof(LogEntityJsonConverter.LogFileOriginInvalid))] [JsonSourceGenerationOptions(DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull)] internal partial class EcsJsonContext : JsonSerializerContext { } \ No newline at end of file diff --git a/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml index 05bccb7e..330e6894 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/Entities.Generated.cshtml @@ -29,7 +29,7 @@ namespace Elastic.CommonSchema { /// - public class @entity.Name : @entity.BaseFieldSet.Name { + public class @entity.Name : @entity.BaseFieldSet.Name @entity.AssignableInterfacesAsString { @foreach (var property in entity.EntityProperties) { @@ -48,7 +48,7 @@ namespace Elastic.CommonSchema { /// - public@(entity.Partial ? " partial" : "") class @entity.Name : @entity.BaseFieldSet.Name { + public@(entity.Partial ? " partial" : "") class @entity.Name : @entity.BaseFieldSet.Name @entity.AssignableInterfacesAsString { @foreach (var property in entity.EntityProperties) { diff --git a/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml index e7a46fdc..8f49fc32 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/LogTemplateProperties.Generated.cshtml @@ -29,7 +29,7 @@ namespace Elastic.CommonSchema ///All properties that supports public static class LogTemplateProperties { -@foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) +@foreach (var prop in Model.Base.SettableProperties) { /// /// @prop.FullPath @@ -41,7 +41,7 @@ namespace Elastic.CommonSchema } @foreach (var entity in Model.EntityClasses) { - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in entity.SettableProperties) { /// /// @prop.FullPath @@ -57,7 +57,7 @@ namespace Elastic.CommonSchema ///All properties that supports public static readonly HashSet@(Raw("")) All = new() { -@foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) +@foreach (var prop in Model.Base.SettableProperties) { "@prop.FullPath", @prop.LogTemplateAlternative, @@ -65,7 +65,7 @@ namespace Elastic.CommonSchema } @foreach (var entity in Model.EntityClasses) { - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in entity.SettableProperties) { "@prop.FullPath", @prop.LogTemplateAlternative, diff --git a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml index 6feff970..64a2aa4b 100644 --- a/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml +++ b/tools/Elastic.CommonSchema.Generator/Views/PropDispatch.Generated.cshtml @@ -106,7 +106,7 @@ namespace Elastic.CommonSchema { switch (path) { - @foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) + @foreach (var prop in Model.Base.SettableProperties) { case "@prop.FullPath": case "@prop.LogTemplateAlternative": @@ -115,11 +115,11 @@ namespace Elastic.CommonSchema return TrySet@(@Model.Base.Name)(document, path, value); @foreach (var entity in Model.EntityClasses) { - if (!entity.BaseFieldSet.SettableProperties.Any()) + if (!entity.SettableProperties.Any()) { continue; } - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in entity.SettableProperties) { case "@prop.FullPath": case "@prop.LogTemplateAlternative": @@ -137,7 +137,7 @@ namespace Elastic.CommonSchema { Func@(Raw("<"))@(Model.Base.Name), object, bool@(Raw(">")) assign = path switch { - @foreach (var prop in Model.Base.BaseFieldSet.SettableProperties) + @foreach (var prop in Model.Base.DispatchProperties) { "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), @@ -147,26 +147,41 @@ namespace Elastic.CommonSchema }; return assign != null && assign(document, value); } -@foreach (var entity in Model.EntityClasses) +@foreach (var dispatch in Model.AssignablePropDispatches) { + var entity = dispatch.Entity; - public static bool TrySet@(entity.Name)(EcsDocument document, string path, object value) + public static Func@(Raw("<"))@(dispatch.FuncTarget), object, bool@(Raw(">")) TryAssign@(dispatch.AssignEntity)(string path) { - Func@(Raw("<"))@(entity.Name), object, bool@(Raw(">")) assign = path switch + Func@(Raw("<"))@(dispatch.FuncTarget), object, bool@(Raw(">")) assign = path switch { - @foreach (var prop in entity.BaseFieldSet.SettableProperties) + @foreach (var prop in dispatch.AssignableProperties) { + if (!prop.IsEntityDispatch) + { "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)(e, v, static (ee, p) => ee.@(prop.Name) = p), + } + else + { + "@prop.FullPath" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ??= new @(prop.ContainerPathEntity)(),v), + "@prop.LogTemplateAlternative" => static (e, v) => @(prop.CastFromObject)("@(prop.JsonProperty)")(e.@(prop.ContainerPath) ??= new @(prop.ContainerPathEntity)(),v), + + } } _ => null }; + return assign; + } + public static bool TrySet@(dispatch.AssignEntity)(@dispatch.AssignParameter document, string path, object value) + { + var assign = TryAssign@(dispatch.AssignEntity)(path); if (assign == null) return false; - - var entity = document.@(entity.Name) ?? new @(entity.Name)(); + + var entity = document.@(dispatch.AssignTarget) ?? new @(entity.Name)(); var assigned = assign(entity, value); - if (assigned) document.@(entity.Name) = entity; + if (assigned) document.@(dispatch.AssignTarget) = entity; return assigned; }