Elastic Common Schema (ECS)
The Elastic Common Schema is an open-source specification for storing structured data in Elasticsearch. It specifies a common set of field names and data types, as well as descriptions and examples of how to use them. The aim of ECS is to provide a consistent data structure to facilitate analysis, correlation, and visualization of data from diverse sources. NXLog Agent can be configured to send logs to Elasticsearch in a format that complies with ECS. This guide provides examples of how to normalize log records collected from different sources before they are forwarded to Elasticsearch.
ECS requirements
ECS requires data to be ingested in JSON format and uses the JSON dot notation. While the schema includes hundreds of fields, it simply acts as a guideline and can be tailored according to the use case. It also permits the use of additional user-defined fields, as long as they do not conflict with ECS fields, and ideally follow the ECS guidelines. See the Elastic documentation for Guidelines and Best Practices. ECS fields are organized into three levels, namely:
- Core fields
-
A set of fields that are common for all log sources. They are defined as ECS top-level objects.
- Extended fields
-
Fields that apply to specific log sources, or can be interpreted differently depending on the source. They are defined as ECS top-level objects.
- Custom fields
-
User-supplied fields that ECS does not cater for. They exist as non-ECS top-level objects.
For a complete list of defined fields and their description, refer to the ECS Field Reference.
Although ECS is flexible and it is expected that not every log record will include all fields, platforms like Elastic Security, which requires ECS-compliant data, make use of specific fields to process and display data. See the Elastic documentation for a complete Elastic Security ECS field reference. Depending on your use case, careful consideration should be given to the requirements of your platform when mapping fields to ECS.
Data enrichment
ECS core fields are common across all log sources and their aim is to facilitate searching for and identifying events. Core fields contain information on the environment where the event occurred, the log collection tool used to process it, and other metadata pertaining to the event. Such fields may be required by Elastic Security and other SIEM solutions that support ECS-compliant data, however, information to populate them is generally not part of the original log record, making data enrichment necessary. NXLog Agent can enrich log data by populating fields with user-defined values or information retrieved from the environment. For more information and examples, see the Normalizing data with NXLog Agent section in the NXLog Agent User Guide.
Below is a list of fields that are commonly required for ECS compliance.
Field | Type | Description |
---|---|---|
keyword |
The ECS version in use when the data was parsed. |
|
keyword |
The type of agent that collected the event, e.g. NXLog Agent. |
|
keyword |
The version of the agent that collected the event. |
Refer to the Elastic documentation for a complete list of Agent Fields.
Field | Type | Description |
---|---|---|
date |
The date/time when the event was generated. This is a required field. |
|
object |
Key/value pairs containing event metadata. |
|
text |
Log message, optimized for viewing in a log viewer. This field is indexed and supports full-text search. |
|
keyword |
List of keywords used to tag the event. |
Refer to the Elastic documentation for more information on Base Fields.
Field | Type | Description |
---|---|---|
keyword |
Operating system architecture. |
|
keyword |
Operating system family (e.g., Windows, Red Hat, Debian etc.) |
|
keyword |
Version of the operating system kernel as a raw string. |
|
keyword |
Operating system name, excluding the version. |
|
keyword |
Operating system platform (e.g., Windows, Ubuntu, CentOS etc.) |
|
keyword |
Broad operating system type. Must be one of linux, macos, unix, or windows. |
|
keyword |
Operating system version as a raw string. |
Refer to the Elastic documentation for a complete list of Host Fields.
Normalizing data with NXLog Agent
Data coming in different formats requires normalization to align events to ECS. NXLog Agent can easily assist in the normalization of data with its input and extension modules, built-in regular expressions support, or its various string manipulation functions.
To transform data, the Rewrite (xm_rewrite) module supports renaming and deleting fields, while the JSON (xm_json) module provides functionality to output data in JSON format.
Modules like the Syslog (xm_syslog) extension and the Event log for Windows 2008/Vista and later (im_msvistalog) input modules support parsing specific log formats into structured data. For data enrichment, NXLog Agent supports loading of dynamic configuration with the include_stdout general directive, as well as execution of external scripts with support for Perl, Python, Ruby, Go, and Java.
Additionally, the NXLog Agent Elasticsearch (om_elasticsearch) output module can forward logs in bulk to an Elasticsearch instance and supports dynamic indexing. The Elasticsearch and Kibana integration guide provides further details and examples.
The configuration examples below demonstrate how NXLog Agent can collect logs from different sources, as well as transform and enrich the data before it is forwarded to Elasticsearch.
This configuration collects events from Windows Event Log with the im_msvistalog input module. It uses the xm_rewrite extension to transform the data to comply with ECS, and the xm_json extension to convert the data to JSON format.
To enrich log records, it uses a PowerShell script that retrieves operating system information from the Windows host. The include_stdout directive is used to execute the script once on every startup of NXLog Agent and dynamically add its output to the configuration.
define NXLOGVERSION nxlog_version()
define NXLOGEDITION 'nxlog-ee'
define ECSV '1.10.0'
# Path to windows_env.cmd file for Windows enrichment.
# Modify it if required or comment the line below if not needed.
include_stdout C:\Program Files\nxlog\conf\windows_env.cmd
<Extension json>
Module xm_json
DateFormat YYYY-MM-DDThh:mm:ss.sUTC
</Extension>
<Extension win_ecs>
Module xm_rewrite
<Exec>
$timestamp = $EventTime;
rename_field("timestamp","@timestamp");
if defined $UtcTime ${event.time.utc} = $UtcTime;
${ecs.version} = %ECSV%;
${tags} = '["testing","'+$Hostname+'"]';
${agent.hostname} = $Hostname;
${agent.name} = $Hostname;
${agent.type} = %NXLOGEDITION%;
${agent.version} = %NXLOGVERSION%;
${nxlog.version} = %NXLOGVERSION%;
${host.architecture} = '%ARCHITECTURE%';
${host.ip} = host_ip();
${host.name} = $Hostname;
${host.os.build} = '%HOSTVER%';
${host.os.family} = '%FAMILY%';
${host.os.name} = '%OSNAME%';
${host.os.kernel} = '%WINBUILD%';
${host.os.platform} = '%PLATFORM%';
${host.os.type} = lc('%HOSTTYPE%');
${event.action} = $Category;
${event.original} = $raw_event;
${event.time.original} = $EventTime;
${event.time.received} = $EventReceivedTime;
${winlog.api} = 'wineventlog';
${winlog.computer_name} = $Hostname;
if defined $Description
{
${process.pe.description} = $Description;
${winlog.event_data.Description} = $Description;
}
# Regular Expressions to capture data from events
if $Image =~ /\\(.*)\\(.*)/ ${process.name} = $2;
if $Data =~ /[0-9]{1,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}Z/
{
rename_field("data","windows.application.timestamp");
}
if $User =~ /(.*)\\(.*)/
{
${user.domain} = $1;
${user.name} = $2;
${related.user} = $2;
}
if $Hashes =~ /(SHA256)=(.*)/ ${hash.sha256} = $2;
# For Windows PowerShell
if $Channel == "Windows PowerShell"
{
if $Data_2 =~ /NewEngineState=(.*)/ ${powershell.engine.new_state} = $1;
if $Data_2 =~ /PreviousEngineState=(.*)/ ${powershell.engine.previous_state} = $1;
if $Data_2 =~ /SequenceNumber=(.*)/ ${event.sequence} = $1;
if $Data_2 =~ /HostName=(.*)/ ${process.title} = $1;
if $Data_2 =~ /HostVersion=(.*)/ ${powershell.executable.version} = $1;
if $Data_2 =~ /HostId=(.*)/ ${process.entity_id} = $1;
if $Data_2 =~ /HostApplication=(.*)/ ${process.args} = $1;
if $Data_2 =~ /HostApplication=(.*)/ ${process.command_line} = $1;
if $Data_2 =~ /EngineVersion=(.*)/ ${powershell.engine.version} = $1;
if $Data_2 =~ /RunspaceId=(.*)/ ${powershell.runspace_id} = $1;
}
</Exec>
# Renamed Fields
Rename Version, winlog.version
Rename SourceModuleType, nxlog.module.type
Rename SourceModuleName, nxlog.module.name
Rename Message, message
Rename Channel, event.provider
Rename OpCode, log.level
Rename Image, process.executable
Rename ProcessGuid, process.entity_id
Rename ProcessId, process.pid
Rename SourceName, winlog.provider_name
Rename EventType, winlog.opcode
Rename Domain, winlog.user.name
Rename UserID, winlog.user.identifier
Rename ExecutionProcessID, winlog.process.pid
Rename ExecutionThreadID, winlog.process.thread
Rename ProviderGuid, winlog.provider_guid
Rename RecordNumber, winlog.record_id
Rename AccountType, winlog.user.type
Rename AccountName, winlog.user.name
Rename Category, winlog.task
Rename VirtualAccount, winlog.event_data.VirtualAccount
Rename TransmittedServices, winlog.event_data.TransmittedServices
Rename TargetUserSid, winlog.event_data.TargetUserSid
Rename TargetUserName, winlog.event_data.TargetUserName
Rename TargetOutboundUserName, winlog.event_data.TargetOutboundUserName
Rename TargetOutboundDomainName, winlog.event_data.TargetOutboundDomainName
Rename TargetLogonId, winlog.event_data.TargetLogonId
Rename TargetLinkedLogonId, winlog.event_data.TargetLinkedLogonId
Rename TargetDomainName, winlog.event_data.TargetDomainName
Rename SubjectUserSid, winlog.event_data.SubjectUserSid
Rename SubjectUserName, winlog.event_data.SubjectUserName
Rename SubjectLogonId, winlog.event_data.SubjectLogonId
Rename SubjectDomainName, winlog.event_data.SubjectDomainName
Rename RestrictedAdminMode, winlog.event_data.RestrictedAdminMode
Rename ProcessName, process.name
Rename LogonType, winlog.event_data.LogonType
Rename LogonProcessName, winlog.event_data.LogonProcessName
Rename LogonGuid, winlog.event_data.LogonGuid
Rename LmPackageName, winlog.event_data.LmPackageName
Rename KeyLength, winlog.event_data.KeyLength
Rename IpPort, winlog.event_data.IpPort
Rename IpAddress, winlog.event_data.IpAddress
Rename ImpersonationLevel, winlog.event_data.ImpersonationLevel
Rename ElevatedToken, winlog.event_data.ElevatedToken
Rename AuthenticationPackageName, winlog.event_data.AuthenticationPackageName
Rename ActivityID, winlog.activity_id
Rename AlgorithmName, winlog.event_data.AlgorithmName
Rename ClientCreationTime, winlog.event_data.ClientCreationTime
Rename ClientProcessId, winlog.event_data.ClientProcessId
Rename KeyName, winlog.event_data.KeyName
Rename KeyType, winlog.event_data.KeyType
Rename Operation, winlog.event_data.Operation
Rename ProviderName, winlog.event_data.ProviderName
Rename ReturnCode, winlog.event_data.ReturnCode
Rename OriginalFileName, process.pe.original_file_name
Rename ParentCommandLine, process.parent.command_line
Rename ParentImage, process.parent.executable
Rename ParentProcessGuid, process.parent.entity_id
Rename ParentProcessId ,process.parent.pid
Rename Product, process.pe.product
Rename TerminalSessionId, winlog.event_data.TerminalSessionId
Rename RuleName, winlog.event_data.RuleName
Rename LogonId, winlog.event_data.LogonId
Rename IntegrityLevel, winlog.event_data.IntegrityLevel
Rename FileVersion, winlog.event_data.FileVersion
Rename CurrentDirectory, process.working_directory
Rename Company, winlog.event_data.Company
Rename CommandLine, process.command_line
Rename AccountExpires, winlog.event_data.AccountExpires
Rename AccountName, winlog.event_data.AccountName
Rename ActivityId, winlog.activity_id
Rename AddServiceID.AddServiceStatus, winlog.user_data.AddServiceStatus
Rename AdvancedOptions, winlog.user_data.AdvancedOptions
# End renamed fields
<Exec>
${winlog.event_id} = $EventID;
${event.code} = $EventID;
delete("EventID");
delete("Data_1");
delete("Data_2");
delete("Description");
delete("Hostname");
delete("User");
delete("Image");
delete("Data");
delete("Hashes");
</Exec>
</Extension>
<Input win_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Application'>*</Select>
<Select Path='Security'>*[System/Level<4]</Select>
<Select Path='System'>*</Select>
<Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>
<Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>
<Select Path='Windows PowerShell'>*</Select>
</Query>
</QueryList>
</QueryXML>
Exec win_ecs->process(); to_json();
</Input>
@( Set "_= (
REM " ) <#
)
@Echo Off
SetLocal EnableExtensions DisableDelayedExpansion
set powershell=powershell.exe
REM Use this if you need 64-bit PowerShell (has no effect on 32-bit systems).
REM if defined PROCESSOR_ARCHITEW6432 (
REM set powershell=%SystemRoot%\SysNative\WindowsPowerShell\v1.0\powershell.exe
REM )
REM Use this if you need 32-bit PowerShell.
REM if NOT %PROCESSOR_ARCHITECTURE% == x86 (
REM set powershell=%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
REM )
%powershell% -ExecutionPolicy Bypass -NoProfile ^
-Command "iex ((gc '%~f0') -join [char]10)"
EndLocal & Exit /B %ErrorLevel%
#>
# PowerShell code starts here.
# To make NXLog return an error, write to standard error and exit 1
if ($false) {
[Console]::Error.WriteLine("This is an error")
exit 1
}
else {
# Anything written to standard output is used as configuration content
$winbuild = (Get-CimInstance Win32_OperatingSystem).Version
$architecture = (Get-WmiObject CIM_OperatingSystem).OSArchitecture
$versionarray = (Get-CimInstance Win32_OperatingSystem).Version.Split(".")
$majorversion = $versionarray[0]
$minorversion = $versionarray[1]
if ($architecture -like "64-bit"){
$architecture = "x86_64"
}else{
$architecture = "x86"
}
$osname = (Get-WmiObject -Class Win32_OperatingSystem).caption
Write-Output "define ARCHITECTURE $architecture"
Write-Output "define FAMILY windows"
Write-Output "define HOSTTYPE windows"
Write-Output "define PLATFORM windows"
Write-Output "define OSNAME $osname"
Write-Output "define WINBUILD $winbuild"
Write-Output "define HOSTVER $majorversion.$minorversion"
}
The following JSON shows a Windows Event Log record after it was processed by NXLog Agent.
{
"EventTime": "2021-07-12T09:13:37.347673Z",
"Keywords": "9259400833873739776",
"winlog.opcode": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"winlog.provider_name": "Service Control Manager",
"winlog.provider_guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"winlog.version": 0,
"TaskValue": 0,
"OpcodeValue": 0,
"winlog.record_id": 14052,
"winlog.process.pid": 544,
"winlog.process.thread": 1672,
"event.provider": "System",
"message": "The nxlog service entered the running state.",
"param1": "nxlog",
"param2": "running",
"EventData.Binary": "6E0078006C006F0067002F0034000000",
"EventReceivedTime": "2021-07-12T09:13:38.613296Z",
"nxlog.module.name": "win_eventlog",
"nxlog.module.type": "im_msvistalog",
"@timestamp": "021-07-12T09:13:38.613296Z",
"ecs.version": "1.10.0",
"tags": [
"testing",
"server02"
],
"agent.hostname": "server02",
"agent.name": "server02",
"agent.type": "nxlog-ee",
"agent.version": "5.3.7022",
"nxlog.version": "5.3.7022",
"host.architecture": "x86_64",
"host.ip": "10.0.2.15",
"host.name": "server02",
"host.os.build": "10.0",
"host.os.family": "windows",
"host.os.name": "Microsoft Windows Server 2016 Standard",
"host.os.kernel": "10.0.14393.693",
"host.os.platform": "windows",
"host.os.type": "windows",
"event.action": null,
"event.original": "2021-07-12 10:13:37 server02 INFO Keywords=\"9259400833873739776\" EventType=\"INFO\" SeverityValue=\"2\" EventID=\"7036\" SourceName=\"Service Control Manager\" ProviderGuid=\"{555908D1-A6D7-4695-8E1E-26931D2012F4}\" Version=\"0\" TaskValue=\"0\" OpcodeValue=\"0\" RecordNumber=\"14052\" ExecutionProcessID=\"544\" ExecutionThreadID=\"1672\" Channel=\"System\" Message=\"The nxlog service entered the running state.\" param1=\"nxlog\" param2=\"running\" EventData.Binary=\"6E0078006C006F0067002F0034000000\"",
"event.time.original": "22021-07-12T09:13:38.613296Z",
"event.time.received": "2021-07-12T09:13:38.613296Z",
"winlog.api": "wineventlog",
"winlog.computer_name": "server02",
"winlog.event_id": 7036,
"event.code": 7036
}
This configuration listens for syslog messages on UDP port 514 with the im_udp input module. It makes use of three extension modules; xm_syslog to parse log records into structured data, xm_rewrite to transform the data to comply with ECS, and xm_json to convert the data to JSON format.
To enrich log records, it uses a bash script that retrieves operating system information from the Linux host. The include_stdout directive is used to execute the script once on every startup of NXLog Agent and dynamically add its output to the configuration.
define NXLOGVERSION nxlog_version()
define NXLOGEDITION 'nxlog-ee'
define ECSV '1.10.0'
# Path to linux_env.sh file for Linux enrichment.
# Modify it if required or comment the line below if not needed.
include_stdout /opt/nxlog/etc/linux_env.sh
<Extension json>
Module xm_json
DateFormat YYYY-MM-DDThh:mm:ss.sUTC
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension linux_ecs>
Module xm_rewrite
Rename SourceModuleType, nxlog.module.type
Rename SourceModuleName, nxlog.module.name
Rename Message, message
Rename MessageSourceAddress, host.ip
<Exec>
if defined $pid
{
${process.pid} = $pid;
delete($pid);
}
if defined $uid
{
${user.id} = $uid;
delete($uid);
}
</Exec>
</Extension>
<Input syslog_systems>
Module im_udp
ListenAddr 0.0.0.0:514
<Exec>
parse_syslog();
$timestamp = $EventReceivedTime;
rename_field("timestamp","@timestamp");
${ecs.version} = %ECSV%;
${tags} = '["testing","'+$Hostname+'"]';
${agent.hostname} = $Hostname;
${agent.name} = $Hostname;
${agent.type} = %NXLOGEDITION%;
${agent.version} = %NXLOGVERSION%;
${nxlog.version} = %NXLOGVERSION%;
${host.architecture} = '%ARCHITECTURE%';
${host.name} = $Hostname;
${host.os.codename} = '%CODENAME%';
${host.os.family} = '%FAMILY%';
${host.os.kernel} = '%KERNEL%';
${host.os.name} = '%OSNAME%';
${host.os.platform} = '%PLATFORM%';
${host.os.type} = lc('%TYPE%');
${host.os.version} = '%OSVERSION%';
${event.original} = $raw_event;
linux_ecs->process(); to_json();
</Exec>
</Input>
#!/bin/bash
# The following list of variables are for the following
# ECS fields in order to comply with ECS enrichment
# host.architecture | $ARCHITECTURE
# host.os.codename | $CODENAME
# host.os.family | $FAMILY
# host.os.kernel | $KERNEL
# host.os.name | $OSNAME
# host.os.platform | $PLATFORM
# host.os.type | $TYPE
# host.os.version | $OSVERSION
ARCHITECTURE=$(uname -m)
FAMILY=$(cat /etc/os-release | grep -oP "^ID=\K\w+")
KERNEL=$(uname -r)
PLATFORM=$(cat /etc/os-release | grep -oP "^ID=\K\w+")
TYPE=$(uname -s)
OSNAME=$(cat /etc/os-release | grep -oP '^NAME=.*' | grep -oP '"(.*)"' | sed s/\"//g)
CODENAME=$(cat /etc/os-release | grep -oP "VERSION_CODENAME=\K\w+")
OSVERSION=$(cat /etc/os-release | grep VERSION= | grep -oP '"(.*)"' | sed s/\"//g)
echo "define ARCHITECTURE $ARCHITECTURE"
echo "define FAMILY $FAMILY"
echo "define KERNEL $KERNEL"
echo "define PLATFORM $PLATFORM"
echo "define TYPE $TYPE"
echo "define OSNAME $OSNAME"
echo "define CODENAME $CODENAME"
echo "define OSVERSION $OSVERSION"
The following JSON shows a syslog message after it was processed by NXLog Agent.
{
"EventReceivedTime": "2021-07-12T11:26:33.192630Z",
"nxlog.module.name": "syslog_udp",
"nxlog.module.type": "im_file",
"SyslogFacilityValue": 1,
"SyslogFacility": "USER",
"SyslogSeverityValue": 5,
"SyslogSeverity": "NOTICE",
"SeverityValue": 2,
"Severity": "INFO",
"Hostname": "server01",
"EventTime": "2021-07-12T10:24:05.000000Z",
"SourceName": "systemd",
"ProcessID": 1,
"message": "Starting NXLog daemon...",
"@timestamp": "2021-07-12T11:26:33.192630Z",
"ecs.version": "1.10.0",
"tags": [
"testing",
"server01"
],
"agent.hostname": "server01",
"agent.name": "server01",
"agent.type": "nxlog-ee",
"agent.version": "5.3.7022",
"nxlog.version": "5.3.7022",
"host.architecture": "x86_64",
"host.name": "server01",
"host.os.codename": "focal",
"host.os.family": "ubuntu",
"host.os.kernel": "5.8.0-59-generic",
"host.os.name": "Ubuntu",
"host.os.platform": "ubuntu",
"host.os.type": "linux",
"host.os.version": "20.04.2 LTS (Focal Fossa)",
"event.original": "Jul 12 12:24:05 server01 systemd[1]: Starting NXLog daemon..."
}
The scripts in this guide are provided "AS IS" without warranty of any kind, either expressed or implied. Use at your own risk. |
Elasticsearch mapping
The following is an example mapping file for proper visualization of Windows events inside Elasticsearch. This is part of the template component portion of Elasticsearch.
{
"version": 0,
"template": {
"settings": {
"codec": "best_compression"
},
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"event_id": {
"type": "keyword"
},
"provider_name": {
"type": "keyword"
},
"opcode": {
"type": "keyword"
},
"user": {
"properties": {
"name": {
"type": "keyword"
},
"identifier": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"domain": {
"type": "keyword"
}
}
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"type": "long"
},
"id": {
"type": "keyword"
}
}
},
"provider_guid": {
"type": "keyword"
},
"record_id": {
"type": "keyword"
},
"task": {
"type": "keyword"
},
"event_data": {
"type": "object"
},
"activity_id": {
"type": "keyword"
},
"computer_name": {
"type": "keyword"
},
"api": {
"type": "keyword"
},
"logon": {
"properties": {
"type": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"failure": {
"properties": {
"reason": {
"type": "keyword"
},
"status": {
"type": "keyword"
},
"sub_status": {
"type": "keyword"
}
}
}
}
},
"keywords": {
"type": "keyword"
},
"channel": {
"type": "keyword"
},
"related_activity_id": {
"type": "keyword"
},
"time_created": {
"type": "keyword"
},
"user_data": {
"type": "keyword"
},
"version": {
"type": "long"
},
"VirtualAccount": {
"type": "keyword"
}
}
},
"powershell": {
"properties": {
"engine": {
"properties": {
"new_state": {
"type": "keyword"
},
"previous_state": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"executable": {
"properties": {
"version": {
"type": "keyword"
}
}
},
"runspace_id": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"pipeline_id": {
"type": "keyword"
},
"sequence": {
"type": "long"
},
"total": {
"type": "long"
},
"command": {
"properties": {
"path": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"value": {
"type": "keyword"
},
"invocation_details": {
"properties": {
"type": {
"type": "keyword"
},
"related_command": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"value": {
"type": "text"
}
}
}
}
},
"connected_user": {
"properties": {
"domain": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"file": {
"properties": {
"script_block_id": {
"type": "keyword"
},
"script_block_text": {
"type": "text"
}
}
},
"process": {
"properties": {
"executable_version": {
"type": "keyword"
}
}
},
"provider": {
"properties": {
"new_state": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
}
}
},
"event": {
"properties": {
"sequence": {
"type": "long"
},
"time": {
"properties": {
"original": {
"type": "date"
},
"received": {
"type": "date"
}
}
},
"original": {
"type": "keyword"
},
"action": {
"type": "keyword"
},
"code": {
"type": "keyword"
}
}
},
"process": {
"properties": {
"title": {
"type": "keyword"
},
"entity_id": {
"type": "keyword"
},
"args": {
"type": "keyword"
},
"command_line": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"pe": {
"properties": {
"description": {
"type": "keyword"
}
}
},
"exe": {
"type": "alias",
"path": "process.executable"
},
"executable": {
"type": "keyword"
}
}
},
"windows": {
"properties": {
"application": {
"properties": {
"timestamp": {
"type": "date"
}
}
}
}
},
"user": {
"type": "keyword"
},
"related": {
"properties": {
"user": {
"type": "keyword"
}
}
},
"hash": {
"properties": {
"sha256": {
"type": "keyword"
}
}
},
"agent": {
"properties": {
"name": {
"type": "keyword"
},
"hostname": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"build": {
"properties": {
"original": {
"type": "keyword"
}
}
},
"ephimeral_id": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
},
"host": {
"properties": {
"name": {
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"os": {
"properties": {
"build": {
"type": "keyword"
},
"codename": {
"type": "keyword"
}
}
}
}
},
"nxlog": {
"properties": {
"version": {
"type": "keyword"
},
"module": {
"properties": {
"name": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
}
}
},
"ecs": {
"properties": {
"version": {
"type": "keyword"
}
}
},
"tags": {
"type": "keyword"
},
"labels": {
"type": "object"
},
"message": {
"type": "keyword"
},
"kubernetes": {
"properties": {
"pod": {
"properties": {
"name": {
"type": "keyword"
},
"uid": {
"type": "keyword"
},
"ip": {
"type": "ip"
}
}
},
"namespace": {
"type": "keyword"
},
"node": {
"properties": {
"name": {
"type": "keyword"
},
"hostname": {
"type": "keyword"
}
}
},
"labels": {
"properties": {
"*": {
"type": "object"
}
}
},
"annotations": {
"properties": {
"*": {
"type": "object"
}
}
},
"selectors": {
"properties": {
"*": {
"type": "object"
}
}
},
"replicaset": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"deployment": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"statefulset": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"container": {
"properties": {
"name": {
"type": "keyword"
},
"image": {
"type": "alias",
"path": "container.image.name"
}
}
}
}
},
"sysmon": {
"properties": {
"dns": {
"properties": {
"status": {
"type": "keyword"
}
}
},
"file": {
"properties": {
"archived": {
"type": "boolean"
},
"is_executable": {
"type": "boolean"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"type": "keyword"
}
}
}
}
},
"event_id": {
"type": "keyword"
},
"provider_name": {
"type": "keyword"
},
"opcode": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"identifier": {
"type": "keyword"
},
"pid": {
"type": "long"
},
"thread": {
"type": "long"
},
"provider_guid": {
"type": "keyword"
},
"record_id": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"task": {
"type": "keyword"
},
"event_data": {
"type": "object"
},
"TransmittedServices": {
"type": "keyword"
},
"TargetUserSid": {
"type": "keyword"
},
"TargetUserName": {
"type": "keyword"
},
"TargetOutboundUserName": {
"type": "keyword"
},
"TargetOutboundDomainName": {
"type": "keyword"
},
"TargetLogonId": {
"type": "keyword"
},
"TargetLinkedLogonId": {
"type": "keyword"
},
"TargetDomainName": {
"type": "keyword"
},
"SubjectUserSid": {
"type": "keyword"
},
"SubjectUserName": {
"type": "keyword"
},
"SubjectLogonId": {
"type": "keyword"
},
"SubjectDomainName": {
"type": "keyword"
},
"RestrictedAdminMode": {
"type": "keyword"
},
"LogonType": {
"type": "keyword"
},
"LogonProcessName": {
"type": "keyword"
},
"LogonGuid": {
"type": "keyword"
},
"LmPackageName": {
"type": "keyword"
},
"KeyLength": {
"type": "keyword"
},
"IpPort": {
"type": "keyword"
},
"IpAddress": {
"type": "ip"
},
"ImpersonationLevel": {
"type": "keyword"
},
"ElevatedToken": {
"type": "keyword"
},
"AuthenticationPackageName": {
"type": "keyword"
},
"activity_id": {
"type": "keyword"
},
"AlgorithmName": {
"type": "keyword"
},
"ClientCreationTime": {
"type": "keyword"
},
"ClientProcessId": {
"type": "keyword"
},
"KeyName": {
"type": "keyword"
},
"KeyType": {
"type": "keyword"
},
"Operation": {
"type": "keyword"
},
"ProviderName": {
"type": "keyword"
},
"ReturnCode": {
"type": "keyword"
},
"TerminalSessionId": {
"type": "keyword"
},
"RuleName": {
"type": "keyword"
},
"LogonId": {
"type": "keyword"
},
"IntegrityLevel": {
"type": "keyword"
},
"FileVersion": {
"type": "keyword"
},
"Company": {
"type": "keyword"
},
"engine": {
"properties": {
"new_state": {
"type": "keyword"
}
}
},
"previous_state": {
"type": "keyword"
},
"sequence": {
"type": "long"
},
"title": {
"type": "keyword"
},
"executable": {
"type": "keyword"
},
"entity_id": {
"type": "keyword"
},
"args": {
"type": "keyword"
},
"command_line": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"runspace_id": {
"type": "keyword"
},
"application": {
"properties": {
"timestamp": {
"type": "date"
}
}
},
"domain": {
"type": "keyword"
},
"sha256": {
"type": "keyword"
},
"time": {
"properties": {
"original": {
"type": "date"
}
}
},
"received": {
"type": "date"
},
"hostname": {
"type": "keyword"
},
"computer_name": {
"type": "keyword"
},
"api": {
"type": "keyword"
},
"original": {
"type": "keyword"
},
"ip": {
"type": "ip"
},
"action": {
"type": "keyword"
},
"pe": {
"properties": {
"description": {
"type": "keyword"
}
}
},
"Description": {
"type": "keyword"
},
"module": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"build": {
"type": "keyword"
},
"ephimeral_id": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"containerized": {
"type": "boolean"
},
"os": {
"properties": {
"build": {
"type": "keyword"
}
}
},
"codename": {
"type": "keyword"
},
"pod": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"uid": {
"type": "keyword"
},
"namespace": {
"type": "keyword"
},
"node": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"*": {
"type": "object"
},
"annotations": {
"properties": {
"*": {
"type": "object"
}
}
},
"selectors": {
"properties": {
"*": {
"type": "object"
}
}
},
"replicaset": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"deployment": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"statefulset": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"image": {
"type": "alias",
"path": "container.image.name"
},
"pipeline_id": {
"type": "keyword"
},
"total": {
"type": "long"
},
"command": {
"properties": {
"path": {
"type": "keyword"
}
}
},
"value": {
"type": "text"
},
"invocation_details": {
"properties": {
"type": {
"type": "keyword"
}
}
},
"related_command": {
"type": "keyword"
},
"connected_user": {
"properties": {
"domain": {
"type": "keyword"
}
}
},
"file": {
"properties": {
"script_block_id": {
"type": "keyword"
}
}
},
"script_block_text": {
"type": "text"
},
"executable_version": {
"type": "keyword"
},
"provider": {
"type": "keyword"
},
"exe": {
"type": "alias",
"path": "process.executable"
},
"logon": {
"properties": {
"type": {
"type": "keyword"
}
}
},
"failure": {
"properties": {
"reason": {
"type": "keyword"
}
}
},
"status": {
"type": "keyword"
},
"sub_status": {
"type": "keyword"
},
"dns": {
"properties": {
"status": {
"type": "keyword"
}
}
},
"archived": {
"type": "boolean"
},
"is_executable": {
"type": "boolean"
},
"BitlockerUserInputTime": {
"type": "keyword"
},
"BootMode": {
"type": "keyword"
},
"BootType": {
"type": "keyword"
},
"BuildVersion": {
"type": "keyword"
},
"CorruptionActionState": {
"type": "keyword"
},
"CreationUtcTime": {
"type": "keyword"
},
"Detail": {
"type": "keyword"
},
"DeviceName": {
"type": "keyword"
},
"DeviceNameLength": {
"type": "keyword"
},
"DeviceTime": {
"type": "keyword"
},
"DeviceVersionMajor": {
"type": "keyword"
},
"DeviceVersionMinor": {
"type": "keyword"
},
"DriveName": {
"type": "keyword"
},
"DriverName": {
"type": "keyword"
},
"DriverNameLength": {
"type": "keyword"
},
"DwordVal": {
"type": "keyword"
},
"EntryCount": {
"type": "keyword"
},
"ExtraInfo": {
"type": "keyword"
},
"FailureName": {
"type": "keyword"
},
"FailureNameLength": {
"type": "keyword"
},
"FinalStatus": {
"type": "keyword"
},
"Group": {
"type": "keyword"
},
"IdleImplementation": {
"type": "keyword"
},
"IdleStateCount": {
"type": "keyword"
},
"LastBootGood": {
"type": "keyword"
},
"LastShutdownGood": {
"type": "keyword"
},
"MajorVersion": {
"type": "keyword"
},
"MaximumPerformancePercent": {
"type": "keyword"
},
"MemberName": {
"type": "keyword"
},
"MemberSid": {
"type": "keyword"
},
"MinimumPerformancePercent": {
"type": "keyword"
},
"MinimumThrottlePercent": {
"type": "keyword"
},
"MinorVersion": {
"type": "keyword"
},
"NewProcessId": {
"type": "keyword"
},
"NewProcessName": {
"type": "keyword"
},
"NewSchemeGuid": {
"type": "keyword"
},
"NewTime": {
"type": "keyword"
},
"NormalFrequency": {
"type": "keyword"
},
"Number": {
"type": "keyword"
},
"OldSchemeGuid": {
"type": "keyword"
},
"OldTime": {
"type": "keyword"
},
"OriginalFileName": {
"type": "keyword"
},
"Path": {
"type": "keyword"
},
"PerformanceImplementation": {
"type": "keyword"
},
"PreviousCreationUtcTime": {
"type": "keyword"
},
"PreviousTime": {
"type": "keyword"
},
"PrivilegeList": {
"type": "keyword"
},
"ProcessId": {
"type": "keyword"
},
"ProcessName": {
"type": "keyword"
},
"ProcessPath": {
"type": "keyword"
},
"ProcessPid": {
"type": "keyword"
},
"Product": {
"type": "keyword"
},
"PuaCount": {
"type": "keyword"
},
"PuaPolicyId": {
"type": "keyword"
},
"QfeVersion": {
"type": "keyword"
},
"Reason": {
"type": "keyword"
},
"SchemaVersion": {
"type": "keyword"
},
"ScriptBlockText": {
"type": "keyword"
},
"ServiceName": {
"type": "keyword"
},
"ServiceVersion": {
"type": "keyword"
},
"ShutdownActionType": {
"type": "keyword"
},
"ShutdownEventCode": {
"type": "keyword"
},
"ShutdownReason": {
"type": "keyword"
},
"Signature": {
"type": "keyword"
},
"SignatureStatus": {
"type": "keyword"
},
"Signed": {
"type": "keyword"
},
"StartTime": {
"type": "keyword"
},
"State": {
"type": "keyword"
},
"Status": {
"type": "keyword"
},
"StopTime": {
"type": "keyword"
},
"Tsid": {
"type": "keyword"
},
"TargetInfo": {
"type": "keyword"
},
"TargetLogonGuid": {
"type": "keyword"
},
"TargetServerName": {
"type": "keyword"
},
"TokenElevationType": {
"type": "keyword"
},
"UserSid": {
"type": "keyword"
},
"Version": {
"type": "keyword"
},
"Workstation": {
"type": "keyword"
},
"param1": {
"type": "keyword"
},
"param2": {
"type": "keyword"
},
"param3": {
"type": "keyword"
},
"param4": {
"type": "keyword"
},
"param5": {
"type": "keyword"
},
"param6": {
"type": "keyword"
},
"param7": {
"type": "keyword"
},
"param8": {
"type": "keyword"
},
"keywords": {
"type": "keyword"
},
"channel": {
"type": "keyword"
},
"related_activity_id": {
"type": "keyword"
},
"time_created": {
"type": "keyword"
},
"user_data": {
"type": "keyword"
},
"VirtualAccount": {
"type": "keyword"
},
"new_state": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"description": {
"type": "keyword"
},
"path": {
"type": "keyword"
},
"script_block_id": {
"type": "keyword"
},
"reason": {
"type": "keyword"
},
"code": {
"type": "keyword"
}
}
}
},
"_meta": {
"description": "Component Template for ECS Base Fields"
}
}