Loading

Common fields

Stack

Contains common fields available in all event types.

file

File attributes.

file.setuid

Set if the file has the setuid bit set. Omitted otherwise.

type: boolean

example: True

file.setgid

Set if the file has the setgid bit set. Omitted otherwise.

type: boolean

example: True

file.origin

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

type: keyword

file.origin.text

This is an analyzed field that is useful for full text search on the origin data.

type: text

selinux

The SELinux identity of the file.

file.selinux.user

The owner of the object.

type: keyword

file.selinux.role

The object's SELinux role.

type: keyword

file.selinux.domain

The object's SELinux domain or type.

type: keyword

file.selinux.level

The object's SELinux level.

type: keyword

example: s0

file.extended_attributes Stack Planned

Extended file attributes. Contains NTFS Extended Attributes (EAs) on Windows systems. Extended Attributes are name-value pairs that can be attached to files and directories to store additional metadata beyond standard file attributes. The object contains key-value pairs where keys are EA names and values are their corresponding values. This field is only populated on Windows and only when the file has extended attributes.

type: flattened

user

User information.

audit

Audit user information.

user.audit.id

Audit user ID.

type: keyword

user.audit.name

Audit user name.

type: keyword

filesystem

Filesystem user information.

user.filesystem.id

Filesystem user ID.

type: keyword

user.filesystem.name

Filesystem user name.

type: keyword

group

Filesystem group information.

user.filesystem.group.id

Filesystem group ID.

type: keyword

user.filesystem.group.name

Filesystem group name.

type: keyword

saved

Saved user information.

user.saved.id

Saved user ID.

type: keyword

user.saved.name

Saved user name.

type: keyword

group

Saved group information.

user.saved.group.id

Saved group ID.

type: keyword

user.saved.group.name

Saved group name.

type: keyword