Skip to content

Auditbeat Linux

Overview

Auditbeat communicates directly with the Linux audit framework, collects the same data as auditd then the data can be stored in JSON inside a log file before being sent to a log concentrator.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Authentication logs From system module, login dataset retreive User logins, logouts, and system boots
File monitoring From audit module, the file metricset sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes
Process monitoring From system module, process dataset retreive Started and stopped processes
Process use of network From system module, socket dataset retreive Opened and Closed sockets

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "event": {
        "module": "system",
        "dataset": "process",
        "kind": "event",
        "category": [
            "process"
        ],
        "type": [
            "end"
        ],
        "action": "process_stopped"
    },
    "process": {
        "working_directory": "/my/directory",
        "start": "2021-01-01T00:01:01.000Z",
        "name": "smtp",
        "entity_id": "AZERTY123456789",
        "pid": 123123,
        "executable": "/usr/lib/postfix/sbin/smtp",
        "args": [
            "smtp",
            "-t",
            "unix",
            "-u",
            "-c"
        ],
        "command_line": "smtp -t unix -u -c",
        "hash": {
            "sha1": "53fe0c00019fb177e43c7ac214f466f01158384e"
        },
        "parent": {
            "pid": 1457
        }
    },
    "auditbeat": {
        "message": "Process smtp (PID: 123123) by user postfix STOPPED"
    },
    "auditd": {
        "user": {
            "saved": {
                "id": "999",
                "group": {
                    "id": "222"
                }
            }
        }
    },
    "user": {
        "effective": {
            "id": "999",
            "group": {
                "id": "222"
            }
        },
        "name": "postfix",
        "id": "999",
        "group": {
            "id": "222",
            "name": "postfix"
        }
    },
    "service": {
        "type": "system"
    },
    "ecs": {
        "version": "1.9.0"
    },
    "host": {
        "name": "fame"
    },
    "agent": {
        "hostname": "fame",
        "ephemeral_id": "qsdfghjklm-1111-2222-3333-azertyuiop",
        "id": "wxcvbn-010101-121212-4444-azertyuiop",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    }
}
{
    "user": {
        "filesystem": {
            "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430",
            "group": {
                "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430",
                "name": "housetodd"
            },
            "name": "housetodd"
        },
        "name": "housetodd",
        "audit": {
            "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430",
            "name": "housetodd"
        },
        "group": {
            "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430",
            "name": "housetodd"
        },
        "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430"
    },
    "auditbeat": {
        "tags": [
            "access"
        ]
    },
    "@timestamp": "2021-11-09T17:39:26.389Z",
    "event": {
        "category": [
            "file"
        ],
        "id": "3a4fc4b3-f7b8-4b41-b696-bf7d452a0bec",
        "dialect_uuid": "18f1e8ee-7e55-484d-b210-a7ebeeb62924",
        "kind": "event",
        "created": "2021-06-10",
        "hash": "89e3ad1078a4ee2210d04736528e10476dda685d",
        "module": "auditd",
        "type": [
            "creation"
        ],
        "outcome": "failure",
        "action": "opened-file",
        "dialect": "auditbeat"
    },
    "message": "{\"@timestamp\":\"2021-11-09T17:39:26.389Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"process\":{\"ppid\":18470,\"title\":\"/opt/google/chrome/chrome --type=zygote --enable-crashpad --crashpad-handler-pid=18479 --enable-crash-reporter=, --change-stack-\",\"name\":\"chrome\",\"executable\":\"/opt/google/chrome/chrome\",\"working_directory\":\"/home/housetodd\",\"pid\":18488},\"auditd\":{\"session\":\"3\",\"summary\":{\"actor\":{\"primary\":\"housetodd\",\"secondary\":\"housetodd\"},\"object\":{\"primary\":\"/proc/1/oom_score_adj\",\"type\":\"file\"},\"how\":\"/opt/google/chrome/chrome\"},\"paths\":[{\"cap_fe\":\"0\",\"cap_fver\":\"0\",\"inode\":\"16064\",\"name\":\"/proc/1/\",\"ogid\":\"0\",\"ouid\":\"0\",\"rdev\":\"00:00\",\"cap_fi\":\"0000000000000000\",\"cap_fp\":\"0000000000000000\",\"dev\":\"00:04\",\"item\":\"0\",\"mode\":\"040555\",\"nametype\":\"PARENT\"},{\"nametype\":\"NORMAL\",\"ogid\":\"0\",\"ouid\":\"0\",\"cap_fe\":\"0\",\"dev\":\"00:04\",\"item\":\"1\",\"mode\":\"0100644\",\"name\":\"/proc/1/oom_score_adj\",\"rdev\":\"00:00\",\"cap_fi\":\"0000000000000000\",\"cap_fp\":\"0000000000000000\",\"cap_fver\":\"0\",\"inode\":\"25973\"}],\"message_type\":\"syscall\",\"sequence\":9052,\"result\":\"fail\",\"data\":{\"tty\":\"(none)\",\"exit\":\"EACCES\",\"a0\":\"7ffc1bfcdfa0\",\"a3\":\"7ffc1bfcde00\",\"a2\":\"55881de610b8\",\"a1\":\"1b6\",\"arch\":\"x86_64\",\"syscall\":\"creat\"}},\"event\":{\"module\":\"auditd\",\"category\":[\"file\"],\"action\":\"opened-file\",\"outcome\":\"failure\",\"kind\":\"event\",\"type\":[\"creation\"]},\"user\":{\"filesystem\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"group\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"name\":\"housetodd\"},\"name\":\"housetodd\",\"audit\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"saved\":{\"group\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"group\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\"},\"host\":{\"name\":\"xps-housetodd\",\"ip\":[\"144.1.237.149\"],\"mac\":[\"22:69:ae:27:fe:66\"],\"hostname\":\"xps-housetodd\",\"architecture\":\"x86_64\",\"os\":{\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\"},\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false},\"file\":{\"gid\":\"0\",\"owner\":\"housetodd\",\"group\":\"housetodd\",\"path\":\"/proc/1/oom_score_adj\",\"device\":\"00:00\",\"inode\":\"25973\",\"mode\":\"0644\",\"uid\":\"0\"},\"tags\":[\"access\"],\"service\":{\"type\":\"auditd\"},\"ecs\":{\"version\":\"1.11.0\"},\"agent\":{\"version\":\"7.15.1\",\"hostname\":\"xps-housetodd\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\",\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"xps-housetodd\",\"type\":\"auditbeat\"}}",
    "ecs": {
        "version": "1.10.0"
    },
    "process": {
        "pid": 18488,
        "name": "chrome",
        "working_directory": "/home/housetodd",
        "title": "/opt/google/chrome/chrome --type=zygote --enable-crashpad --crashpad-handler-pid=18479 --enable-crash-reporter=, --change-stack-",
        "executable": "/opt/google/chrome/chrome",
        "parent": {
            "pid": 18470
        }
    },
    "host": {
        "id": "7dd912136af040e4a6ea4f683010b824",
        "os": {
            "type": "linux",
            "kernel": "4.15.0-161-generic",
            "codename": "bionic",
            "name": "Ubuntu",
            "family": "debian",
            "platform": "ubuntu",
            "version": "18.04.6 LTS (Bionic Beaver)"
        },
        "mac": [
            "22:69:ae:27:fe:66"
        ],
        "name": "xps-housetodd",
        "ip": [
            "144.1.237.149"
        ],
        "hostname": "xps-housetodd",
        "architecture": "x86_64",
        "containerized": false
    },
    "sekoiaio": {
        "entity": {
            "id": "jw2ASKHGnsWFqGDQ",
            "uuid": "322dcda2-5cd1-438d-a49e-d76ef40d2fed",
            "name": "I8WiW2OHB9jqnxZW"
        },
        "intake": {
            "dialect_uuid": "021e9def-5a55-4369-941e-af269b45bef1",
            "dialect": "auditbeat",
            "parsing_status": "success"
        },
        "customer": {
            "id": "fe4f8db6-3ec4-4111-b5e9-0802cfed3d62",
            "community_uuid": "0da1e49f-203a-4585-973a-fbb54331bccb",
            "community_name": "jP0oXIBnhYiuJ0lI"
        }
    },
    "auditd": {
        "session": "3",
        "summary": {
            "actor": {
                "primary": "housetodd",
                "secondary": "housetodd"
            },
            "object": {
                "primary": "/proc/1/oom_score_adj",
                "type": "file"
            },
            "how": "/opt/google/chrome/chrome"
        },
        "paths": [
            {
                "cap_fe": "0",
                "cap_fver": "0",
                "inode": "16064",
                "name": "/proc/1/",
                "ogid": "0",
                "ouid": "0",
                "rdev": "00:00",
                "cap_fi": "0000000000000000",
                "cap_fp": "0000000000000000",
                "dev": "00:04",
                "item": "0",
                "mode": "040555",
                "nametype": "PARENT"
            },
            {
                "nametype": "NORMAL",
                "ogid": "0",
                "ouid": "0",
                "cap_fe": "0",
                "dev": "00:04",
                "item": "1",
                "mode": "0100644",
                "name": "/proc/1/oom_score_adj",
                "rdev": "00:00",
                "cap_fi": "0000000000000000",
                "cap_fp": "0000000000000000",
                "cap_fver": "0",
                "inode": "25973"
            }
        ],
        "message_type": "syscall",
        "sequence": 9052,
        "result": "fail",
        "data": {
            "tty": "(none)",
            "exit": "EACCES",
            "a0": "7ffc1bfcdfa0",
            "a3": "7ffc1bfcde00",
            "a2": "55881de610b8",
            "a1": "1b6",
            "arch": "x86_64",
            "syscall": "creat"
        },
        "user": {
            "saved": {
                "group": {
                    "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430",
                    "name": "housetodd"
                },
                "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430",
                "name": "housetodd"
            }
        }
    },
    "agent": {
        "type": "auditbeat",
        "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81",
        "name": "xps-housetodd",
        "version": "7.15.1",
        "hostname": "xps-housetodd",
        "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a"
    },
    "file": {
        "inode": "25973",
        "path": "/proc/1/oom_score_adj",
        "gid": "0",
        "uid": "0",
        "group": "housetodd",
        "device": "00:00",
        "owner": "housetodd",
        "mode": "0644"
    },
    "service": {
        "type": "auditd"
    },
    "related": {
        "hash": [
            "89e3ad1078a4ee2210d04736528e10476dda685d"
        ],
        "user": [
            "housetodd"
        ],
        "ip": [
            "144.1.237.149"
        ],
        "hosts": [
            "xps-housetodd"
        ]
    }
}
{
    "event": {
        "category": [
            "file"
        ],
        "id": "52b3da13-728a-4c7f-8857-ab01774ad49b",
        "outcome": "success",
        "module": "auditd",
        "type": [
            "info"
        ],
        "dialect": "auditbeat",
        "action": "violated-seccomp-policy",
        "hash": "2ca4c1dee00078e88b47ffdc1a0584a43e0fbbb1",
        "kind": "event",
        "created": "2021-04-06",
        "dialect_uuid": "138080ec-6961-43fd-97c2-99ef95a9a1ed"
    },
    "ecs": {
        "version": "1.10.0"
    },
    "host": {
        "mac": [
            "0c:5d:c0:dc:1f:3f"
        ],
        "id": "7dd912136af040e4a6ea4f683010b824",
        "name": "xps-UWWL21LVdEVmqrbT",
        "architecture": "x86_64",
        "containerized": false,
        "os": {
            "type": "linux",
            "family": "debian",
            "name": "Ubuntu",
            "version": "18.04.6 LTS (Bionic Beaver)",
            "kernel": "4.15.0-161-generic",
            "codename": "bionic",
            "platform": "ubuntu"
        },
        "ip": [
            "43.161.42.208"
        ],
        "hostname": "xps-UWWL21LVdEVmqrbT"
    },
    "message": "{\"@timestamp\":\"2021-11-09T19:07:37.325Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"event\":{\"outcome\":\"unknown\",\"kind\":\"event\",\"type\":[\"info\"],\"module\":\"auditd\",\"category\":[\"file\"],\"action\":\"violated-seccomp-policy\"},\"user\":{\"id\":\"56d2c11c-9371-4617-bac3-2c18e86042c6\",\"audit\":{\"id\":\"56d2c11c-9371-4617-bac3-2c18e86042c6\",\"name\":\"UWWL21LVdEVmqrbT\"},\"group\":{\"id\":\"56d2c11c-9371-4617-bac3-2c18e86042c6\",\"name\":\"UWWL21LVdEVmqrbT\"},\"name\":\"UWWL21LVdEVmqrbT\"},\"process\":{\"name\":\"ThreadPoolSingl\",\"executable\":\"/opt/google/chrome/chrome\",\"pid\":2720},\"host\":{\"mac\":[\"0c:5d:c0:dc:1f:3f\"],\"hostname\":\"xps-UWWL21LVdEVmqrbT\",\"architecture\":\"x86_64\",\"os\":{\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\"},\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false,\"ip\":[\"43.161.42.208\"],\"name\":\"xps-UWWL21LVdEVmqrbT\"},\"agent\":{\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"xps-UWWL21LVdEVmqrbT\",\"type\":\"auditbeat\",\"version\":\"7.15.1\",\"hostname\":\"xps-UWWL21LVdEVmqrbT\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\"},\"ecs\":{\"version\":\"1.11.0\"},\"auditd\":{\"session\":\"2\",\"summary\":{\"how\":\"/opt/google/chrome/chrome\",\"actor\":{\"primary\":\"UWWL21LVdEVmqrbT\",\"secondary\":\"UWWL21LVdEVmqrbT\"},\"object\":{\"primary\":\"stat\",\"type\":\"process\"}},\"message_type\":\"seccomp\",\"sequence\":12522,\"result\":\"unknown\",\"data\":{\"code\":\"0x50000\",\"syscall\":\"stat\",\"compat\":\"0\",\"ip\":\"0x7fe0a0df1845\",\"arch\":\"x86_64\",\"sig\":\"0\"}},\"service\":{\"type\":\"auditd\"}}",
    "sekoiaio": {
        "entity": {
            "id": "XvCY1OAD5kpZ4aMT",
            "name": "ijcI4rUMLB7FQJUl",
            "uuid": "bee1bd11-f55d-4d9c-a6b2-cd083ef6eb30"
        },
        "customer": {
            "community_name": "IaK78sRooYQr06mu",
            "id": "e8cf9595-d9fd-49d6-814d-a36976e997a9",
            "community_uuid": "4d2ae6d8-87a6-41a9-a9cf-6f6cdb667edc"
        },
        "intake": {
            "dialect": "auditbeat",
            "parsing_status": "success",
            "dialect_uuid": "021e9def-5a55-4369-941e-af269b45bef1"
        }
    },
    "agent": {
        "type": "auditbeat",
        "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81",
        "name": "xps-UWWL21LVdEVmqrbT",
        "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a",
        "version": "7.15.1",
        "hostname": "xps-UWWL21LVdEVmqrbT"
    },
    "related": {
        "hosts": [
            "xps-UWWL21LVdEVmqrbT"
        ],
        "ip": [
            "43.161.42.208"
        ],
        "user": [
            "UWWL21LVdEVmqrbT"
        ],
        "hash": [
            "2ca4c1dee00078e88b47ffdc1a0584a43e0fbbb1"
        ]
    },
    "user": {
        "id": "56d2c11c-9371-4617-bac3-2c18e86042c6",
        "name": "UWWL21LVdEVmqrbT",
        "audit": {
            "id": "56d2c11c-9371-4617-bac3-2c18e86042c6",
            "name": "UWWL21LVdEVmqrbT"
        },
        "group": {
            "id": "56d2c11c-9371-4617-bac3-2c18e86042c6",
            "name": "UWWL21LVdEVmqrbT"
        }
    },
    "process": {
        "pid": 2720,
        "executable": "/opt/google/chrome/chrome",
        "name": "ThreadPoolSingl"
    },
    "@timestamp": "2021-11-09T19:07:37.325Z",
    "auditd": {
        "session": "2",
        "summary": {
            "how": "/opt/google/chrome/chrome",
            "actor": {
                "primary": "UWWL21LVdEVmqrbT",
                "secondary": "UWWL21LVdEVmqrbT"
            },
            "object": {
                "primary": "stat",
                "type": "process"
            }
        },
        "message_type": "seccomp",
        "sequence": 12522,
        "result": "unknown",
        "data": {
            "code": "0x50000",
            "syscall": "stat",
            "compat": "0",
            "ip": "0x7fe0a0df1845",
            "arch": "x86_64",
            "sig": "0"
        }
    },
    "service": {
        "type": "auditd"
    }
}
{
    "ecs": {
        "version": "1.10.0"
    },
    "user": {
        "audit": {
            "id": "0",
            "name": "root"
        },
        "effective": {
            "id": "0",
            "name": "root"
        }
    },
    "host": {
        "mac": [
            "5e:55:38:73:40:a4"
        ],
        "id": "7dd912136af040e4a6ea4f683010b824",
        "name": "web-65",
        "containerized": false,
        "hostname": "web-65",
        "os": {
            "type": "linux",
            "platform": "ubuntu",
            "name": "Ubuntu",
            "kernel": "4.15.0-161-generic",
            "family": "debian",
            "version": "18.04.6 LTS (Bionic Beaver)",
            "codename": "bionic"
        },
        "ip": [
            "66.253.230.251"
        ],
        "architecture": "x86_64"
    },
    "agent": {
        "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81",
        "type": "auditbeat",
        "name": "web-65",
        "hostname": "web-65",
        "version": "7.15.1",
        "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a"
    },
    "sekoiaio": {
        "intake": {
            "dialect_uuid": "021e9def-5a55-4369-941e-af269b45bef1",
            "parsing_status": "success",
            "dialect": "auditbeat"
        },
        "customer": {
            "id": "986e50d4-5db1-4dfd-a079-ca8f462647e1",
            "community_uuid": "437c6901-db28-473e-b2bc-0c79c57585c8",
            "community_name": "8qVekia1L80BrZOJ"
        },
        "entity": {
            "uuid": "0d4efad3-ac86-48d3-b2ac-5591d6ad2a09",
            "id": "d6DQmV77mYqMlxTh",
            "name": "nr1AfxwR5deBbmEO"
        }
    },
    "service": {
        "type": "auditd"
    },
    "@timestamp": "2021-11-09T18:35:01.754Z",
    "message": "{\"@timestamp\":\"2021-11-09T18:35:01.754Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"related\":{\"user\":[\"root\"]},\"service\":{\"type\":\"auditd\"},\"event\":{\"module\":\"auditd\",\"category\":[\"authentication\"],\"action\":\"changed-login-id-to\",\"outcome\":\"success\",\"kind\":\"event\",\"type\":[\"start\"]},\"user\":{\"audit\":{\"id\":\"0\",\"name\":\"root\"},\"effective\":{\"id\":\"0\",\"name\":\"root\"}},\"ecs\":{\"version\":\"1.11.0\"},\"host\":{\"containerized\":false,\"ip\":[\"66.253.230.251\"],\"mac\":[\"5e:55:38:73:40:a4\"],\"hostname\":\"web-65\",\"architecture\":\"x86_64\",\"os\":{\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\",\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\"},\"name\":\"web-65\",\"id\":\"7dd912136af040e4a6ea4f683010b824\"},\"agent\":{\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\",\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"web-65\",\"type\":\"auditbeat\",\"version\":\"7.15.1\",\"hostname\":\"web-65\"},\"process\":{\"pid\":20899},\"auditd\":{\"data\":{\"tty\":\"(none)\",\"old-ses\":\"4294967295\"},\"session\":\"436\",\"summary\":{\"actor\":{\"primary\":\"unset\",\"secondary\":\"root\"},\"object\":{\"primary\":\"0\",\"type\":\"user-session\"}},\"message_type\":\"login\",\"sequence\":11578,\"result\":\"success\"}}",
    "event": {
        "dialect_uuid": "4922a107-c91d-46e8-ab0b-d21236d92b90",
        "id": "8a23c8c9-59c5-4226-9507-5432f1a33898",
        "type": [
            "start"
        ],
        "category": [
            "authentication"
        ],
        "hash": "260c64ee23e7fed757cd65e01aebc80dc9333089",
        "kind": "event",
        "created": "2021-05-26",
        "module": "auditd",
        "dialect": "auditbeat",
        "outcome": "success",
        "action": "changed-login-id-to"
    },
    "related": {
        "hash": [
            "260c64ee23e7fed757cd65e01aebc80dc9333089"
        ],
        "ip": [
            "66.253.230.251"
        ],
        "hosts": [
            "web-65"
        ]
    },
    "process": {
        "pid": 20899
    },
    "auditd": {
        "data": {
            "tty": "(none)",
            "old-ses": "4294967295"
        },
        "session": "436",
        "summary": {
            "actor": {
                "primary": "unset",
                "secondary": "root"
            },
            "object": {
                "primary": "0",
                "type": "user-session"
            }
        },
        "message_type": "login",
        "sequence": 11578,
        "result": "success"
    }
}
{
    "event": {
        "dialect_uuid": "423c9f61-0282-464d-a2f3-f2d745b59a3b",
        "id": "c7679ece-e22f-4144-a7f5-619034aa036d",
        "category": [
            "process"
        ],
        "hash": "249e78b65ea6378a41037766bd8b1f01abd1a371",
        "outcome": "success",
        "module": "auditd",
        "type": [
            "start"
        ],
        "dialect": "auditbeat",
        "created": "2021-03-12",
        "kind": "event",
        "action": "started-service"
    },
    "host": {
        "id": "7dd912136af040e4a6ea4f683010b824",
        "name": "LCPmbaxBgGyJj8VH",
        "mac": [
            "09:d0:5f:99:43:f6"
        ],
        "os": {
            "family": "debian",
            "name": "Ubuntu",
            "codename": "bionic",
            "type": "linux",
            "version": "18.04.6 LTS (Bionic Beaver)",
            "kernel": "4.15.0-161-generic",
            "platform": "ubuntu"
        },
        "architecture": "x86_64",
        "ip": [
            "87.138.107.154"
        ],
        "containerized": false,
        "hostname": "LCPmbaxBgGyJj8VH"
    },
    "user": {
        "id": "16bb03ba-2e90-4c98-a5c8-c3d8b8b52c1e",
        "name": "X9PzJKityWAFaA5i"
    },
    "ecs": {
        "version": "1.10.0"
    },
    "message": "{\"@timestamp\":\"2021-11-09T19:02:33.866Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"event\":{\"kind\":\"event\",\"type\":[\"start\"],\"module\":\"auditd\",\"category\":[\"process\"],\"action\":\"started-service\",\"outcome\":\"success\"},\"user\":{\"id\":\"16bb03ba-2e90-4c98-a5c8-c3d8b8b52c1e\",\"name\":\"X9PzJKityWAFaA5i\"},\"process\":{\"pid\":1,\"name\":\"systemd\",\"executable\":\"/lib/systemd/systemd\"},\"auditd\":{\"result\":\"success\",\"data\":{\"unit\":\"anacron\"},\"summary\":{\"how\":\"/lib/systemd/systemd\",\"actor\":{\"primary\":\"unset\",\"secondary\":\"X9PzJKityWAFaA5i\"},\"object\":{\"primary\":\"anacron\",\"type\":\"service\"}},\"message_type\":\"service_start\",\"sequence\":12295},\"service\":{\"type\":\"auditd\"},\"ecs\":{\"version\":\"1.11.16bb03ba-2e90-4c98-a5c8-c3d8b8b52c1e\"},\"host\":{\"hostname\":\"LCPmbaxBgGyJj8VH\",\"architecture\":\"x86_64\",\"os\":{\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\",\"family\":\"debian\"},\"name\":\"LCPmbaxBgGyJj8VH\",\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false,\"ip\":[\"87.138.107.154\"],\"mac\":[\"09:d0:5f:99:43:f6\"]},\"agent\":{\"hostname\":\"LCPmbaxBgGyJj8VH\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\",\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"LCPmbaxBgGyJj8VH\",\"type\":\"auditbeat\",\"version\":\"7.15.1\"}}",
    "sekoiaio": {
        "customer": {
            "id": "c4f66c2f-d5b8-422b-99bb-58861ecf29b2",
            "community_name": "nPBqXTDSBeAay0G4",
            "community_uuid": "9074f2a1-49f9-4b01-9fc7-6c826a330a5a"
        },
        "entity": {
            "id": "6jg8OBtPENQkrAFy",
            "uuid": "3fca9011-7dd8-4a75-a311-9cee8a9daf8a",
            "name": "pW9vnD1tYtahvz1u"
        },
        "intake": {
            "dialect_uuid": "021e9def-5a55-4369-941e-af269b45bef1",
            "parsing_status": "success",
            "dialect": "auditbeat"
        }
    },
    "agent": {
        "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81",
        "name": "LCPmbaxBgGyJj8VH",
        "type": "auditbeat",
        "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a",
        "version": "7.15.1",
        "hostname": "LCPmbaxBgGyJj8VH"
    },
    "service": {
        "type": "auditd"
    },
    "@timestamp": "2021-11-09T19:02:33.866Z",
    "related": {
        "user": [
            "X9PzJKityWAFaA5i"
        ],
        "hash": [
            "249e78b65ea6378a41037766bd8b1f01abd1a371"
        ],
        "hosts": [
            "LCPmbaxBgGyJj8VH"
        ],
        "ip": [
            "87.138.107.154"
        ]
    },
    "auditd": {
        "result": "success",
        "data": {
            "unit": "anacron"
        },
        "summary": {
            "how": "/lib/systemd/systemd",
            "actor": {
                "primary": "unset",
                "secondary": "X9PzJKityWAFaA5i"
            },
            "object": {
                "primary": "anacron",
                "type": "service"
            }
        },
        "message_type": "service_start",
        "sequence": 12295
    },
    "process": {
        "pid": 1,
        "name": "systemd",
        "executable": "/lib/systemd/systemd"
    }
}
{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "agent": {
        "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "hostname": "fame",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    },
    "auditbeat": {
        "message": "Process containerd (PID: 1197) by user root is RUNNING"
    },
    "auditd": {
        "user": {
            "saved": {
                "group": {
                    "id": "0"
                },
                "id": "0"
            }
        }
    },
    "event": {
        "action": "existing_process",
        "category": [
            "process"
        ],
        "dataset": "process",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "kind": "state",
        "module": "system",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "fame"
    },
    "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"message\":\"Process containerd (PID: 1197) by user root is RUNNING\",\"user\":{\"group\":{\"name\":\"root\",\"id\":\"0\"},\"effective\":{\"id\":\"0\",\"group\":{\"id\":\"0\"}},\"saved\":{\"id\":\"0\",\"group\":{\"id\":\"0\"}},\"name\":\"root\",\"id\":\"0\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\"},\"service\":{\"type\":\"system\"},\"event\":{\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\",\"category\":[\"process\"],\"type\":[\"info\"]},\"process\":{\"args\":[\"containerd\"],\"pid\":1197,\"ppid\":1,\"working_directory\":\"/\",\"entity_id\":\"AZERTYqsdfghjklm\",\"name\":\"containerd\",\"executable\":\"/usr/bin/containerd\",\"start\":\"2021-01-01T00:01:01.000Z\",\"hash\":{\"sha1\":\"azertyuiop1234567890\"}, \"command_line\": \"/usr/bin/containerd\"}}",
    "process": {
        "args": [
            "containerd"
        ],
        "entity_id": "AZERTYqsdfghjklm",
        "executable": "/usr/bin/containerd",
        "hash": {
            "sha1": "azertyuiop1234567890"
        },
        "name": "containerd",
        "pid": 1197,
        "start": "2021-01-01T00:01:01.000Z",
        "working_directory": "/",
        "command_line": "/usr/bin/containerd",
        "parent": {
            "pid": 1
        }
    },
    "sekoiaio": {
        "intake": {
            "dialect": "auditbeat",
            "dialect_uuid": "12345678-azer-1234-a1z2-12qsdfghjklm"
        }
    },
    "service": {
        "type": "system"
    },
    "user": {
        "effective": {
            "group": {
                "id": "0"
            },
            "id": "0"
        },
        "group": {
            "id": "0",
            "name": "root"
        },
        "id": "0",
        "name": "root"
    }
}
{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "agent": {
        "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "hostname": "fame",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    },
    "auditbeat": {
        "message": "Process unattended-upgr (PID: 1195) by user root is RUNNING"
    },
    "auditd": {
        "user": {
            "saved": {
                "group": {
                    "id": "0"
                },
                "id": "0"
            }
        }
    },
    "event": {
        "action": "existing_process",
        "category": [
            "process"
        ],
        "dataset": "process",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "kind": "state",
        "module": "system",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "fame"
    },
    "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"message\":\"Process unattended-upgr (PID: 1195) by user root is RUNNING\",\"user\":{\"name\":\"root\",\"id\":\"0\",\"group\":{\"id\":\"0\",\"name\":\"root\"},\"effective\":{\"group\":{\"id\":\"0\"},\"id\":\"0\"},\"saved\":{\"id\":\"0\",\"group\":{\"id\":\"0\"}}},\"service\":{\"type\":\"system\"},\"event\":{\"type\":[\"info\"],\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\",\"category\":[\"process\"]},\"process\":{\"args\":[\"/usr/bin/python3\",\"/usr/share/unattended-upgrades/unattended-upgrade-shutdown\",\"--wait-for-signal\"],\"start\":\"2021-01-01T00:01:01.000Z\",\"hash\":{\"sha1\":\"azertyuiop1234567890\"},\"name\":\"unattended-upgr\",\"entity_id\":\"rvSkGilnHCy6yuIZ\",\"pid\":1195,\"ppid\":1,\"executable\":\"/usr/bin/python3.8\",\"working_directory\":\"/\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"version\":\"7.13.0\",\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\"}}",
    "process": {
        "args": [
            "/usr/bin/python3",
            "/usr/share/unattended-upgrades/unattended-upgrade-shutdown",
            "--wait-for-signal"
        ],
        "entity_id": "rvSkGilnHCy6yuIZ",
        "executable": "/usr/bin/python3.8",
        "hash": {
            "sha1": "azertyuiop1234567890"
        },
        "name": "unattended-upgr",
        "pid": 1195,
        "start": "2021-01-01T00:01:01.000Z",
        "working_directory": "/",
        "command_line": "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal",
        "parent": {
            "pid": 1
        }
    },
    "sekoiaio": {
        "intake": {
            "dialect": "auditbeat",
            "dialect_uuid": "12345678-azer-1234-a1z2-12qsdfghjklm"
        }
    },
    "service": {
        "type": "system"
    },
    "user": {
        "effective": {
            "group": {
                "id": "0"
            },
            "id": "0"
        },
        "group": {
            "id": "0",
            "name": "root"
        },
        "id": "0",
        "name": "root"
    }
}
{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "agent": {
        "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "hostname": "fame",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    },
    "auditbeat": {
        "message": "Process postgres (PID: 207706) by user postgres is RUNNING"
    },
    "auditd": {
        "user": {
            "saved": {
                "group": {
                    "id": "121"
                },
                "id": "114"
            }
        }
    },
    "event": {
        "action": "existing_process",
        "category": [
            "process"
        ],
        "dataset": "process",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "kind": "state",
        "module": "system",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "fame"
    },
    "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"version\":\"7.13.0\",\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\"},\"user\":{\"effective\":{\"id\":\"114\",\"group\":{\"id\":\"121\"}},\"saved\":{\"id\":\"114\",\"group\":{\"id\":\"121\"}},\"name\":\"postgres\",\"id\":\"114\",\"group\":{\"name\":\"postgres\",\"id\":\"121\"}},\"service\":{\"type\":\"system\"},\"event\":{\"category\":[\"process\"],\"type\":[\"info\"],\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\"},\"process\":{\"executable\":\"/usr/lib/postgresql/9.5/bin/postgres\",\"ppid\":1231,\"start\":\"2021-01-01T00:01:01.000Z\",\"hash\":{\"sha1\":\"azertyuiop1234567890\"},\"name\":\"postgres\",\"args\":[\"postgres: cuckoo cuckoo 127.0.0.1(45786) idle\"],\"entity_id\":\"azertyuiop\",\"working_directory\":\"/var/lib/postgresql/9.5/main\",\"pid\":207706},\"message\":\"Process postgres (PID: 207706) by user postgres is RUNNING\"}",
    "process": {
        "args": [
            "postgres: cuckoo cuckoo 127.0.0.1(45786) idle"
        ],
        "entity_id": "azertyuiop",
        "executable": "/usr/lib/postgresql/9.5/bin/postgres",
        "hash": {
            "sha1": "azertyuiop1234567890"
        },
        "name": "postgres",
        "pid": 207706,
        "start": "2021-01-01T00:01:01.000Z",
        "working_directory": "/var/lib/postgresql/9.5/main",
        "parent": {
            "pid": 1231
        }
    },
    "service": {
        "type": "system"
    },
    "user": {
        "effective": {
            "group": {
                "id": "121"
            },
            "id": "114"
        },
        "group": {
            "id": "121",
            "name": "postgres"
        },
        "id": "114",
        "name": "postgres"
    }
}
{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "agent": {
        "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "hostname": "fame",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    },
    "client": {
        "address": "127.0.0.1",
        "bytes": 52,
        "ip": "127.0.0.1",
        "packets": 1,
        "port": 88888
    },
    "destination": {
        "address": "127.0.0.1",
        "bytes": 32,
        "ip": "127.0.0.1",
        "packets": 1,
        "port": 11111
    },
    "event": {
        "action": "network_flow",
        "category": [
            "network",
            "network_traffic"
        ],
        "dataset": "socket",
        "duration": 116168,
        "end": "2021-01-01T00:01:01.000Z",
        "kind": "event",
        "module": "system",
        "start": "2021-01-01T00:01:01.000Z",
        "type": [
            "info",
            "connection"
        ]
    },
    "host": {
        "name": "fame"
    },
    "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"related\":{\"ip\":[\"127.0.0.1\",\"127.0.0.1\"]},\"service\":{\"type\":\"system\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"client\":{\"port\":88888,\"packets\":1,\"bytes\":52,\"ip\":\"127.0.0.1\"},\"system\":{\"audit\":{\"socket\":{\"kernel_sock_address\":\"0xffff8e9955b02300\"}}},\"network\":{\"direction\":\"unknown\",\"type\":\"ipv4\",\"transport\":\"tcp\",\"packets\":2,\"bytes\":84,\"community_id\":\"12345678901234567891234567890\"},\"event\":{\"duration\":116168,\"module\":\"system\",\"kind\":\"event\",\"action\":\"network_flow\",\"type\":[\"info\",\"connection\"],\"dataset\":\"socket\",\"end\":\"2021-01-01T00:01:01.000Z\",\"category\":[\"network\",\"network_traffic\"],\"start\":\"2021-01-01T00:01:01.000Z\"},\"flow\":{\"complete\":false,\"final\":true},\"agent\":{\"version\":\"7.13.0\",\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\"},\"source\":{\"packets\":1,\"bytes\":52,\"ip\":\"127.0.0.1\",\"port\":88888},\"destination\":{\"port\":11111,\"packets\":1,\"bytes\":32,\"ip\":\"127.0.0.1\"},\"server\":{\"ip\":\"127.0.0.1\",\"port\":11111,\"packets\":1,\"bytes\":32}}",
    "network": {
        "bytes": 84,
        "community_id": "12345678901234567891234567890",
        "direction": "unknown",
        "packets": 2,
        "transport": "tcp",
        "type": "ipv4"
    },
    "server": {
        "bytes": 32,
        "ip": "127.0.0.1",
        "packets": 1,
        "port": 11111
    },
    "service": {
        "type": "system"
    },
    "source": {
        "address": "127.0.0.1",
        "bytes": 52,
        "ip": "127.0.0.1",
        "packets": 1,
        "port": 88888
    }
}
{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "agent": {
        "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "hostname": "fame",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    },
    "auditbeat": {
        "message": "Process dbus-daemon (PID: 645) by user messagebus is RUNNING"
    },
    "auditd": {
        "user": {
            "saved": {
                "group": {
                    "id": "110"
                },
                "id": "106"
            }
        }
    },
    "event": {
        "action": "existing_process",
        "category": [
            "process"
        ],
        "dataset": "process",
        "id": "12345678-azer-1234-a1z2-12qsdfghjklm",
        "kind": "state",
        "module": "system",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "fame"
    },
    "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"user\":{\"group\":{\"name\":\"messagebus\",\"id\":\"110\"},\"effective\":{\"id\":\"106\",\"group\":{\"id\":\"110\"}},\"saved\":{\"group\":{\"id\":\"110\"},\"id\":\"106\"},\"name\":\"messagebus\",\"id\":\"106\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\"},\"service\":{\"type\":\"system\"},\"event\":{\"category\":[\"process\"],\"type\":[\"info\"],\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\"},\"process\":{\"args\":[\"/usr/bin/dbus-daemon\",\"--system\",\"--address=systemd:\",\"--nofork\",\"--nopidfile\",\"--systemd-activation\",\"--syslog-only\"],\"hash\":{\"sha1\":\"azertyuiop1234567890\"},\"entity_id\":\"azertyuiop\",\"working_directory\":\"/\",\"ppid\":1,\"pid\":645,\"start\":\"2021-01-01T00:01:01.000Z\",\"executable\":\"/usr/bin/dbus-daemon\",\"name\":\"dbus-daemon\"},\"message\":\"Process dbus-daemon (PID: 645) by user messagebus is RUNNING\"}",
    "process": {
        "args": [
            "/usr/bin/dbus-daemon",
            "--system",
            "--address=systemd:",
            "--nofork",
            "--nopidfile",
            "--systemd-activation",
            "--syslog-only"
        ],
        "entity_id": "azertyuiop",
        "executable": "/usr/bin/dbus-daemon",
        "hash": {
            "sha1": "azertyuiop1234567890"
        },
        "name": "dbus-daemon",
        "pid": 645,
        "start": "2021-01-01T00:01:01.000Z",
        "working_directory": "/",
        "command_line": "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only",
        "parent": {
            "pid": 1
        }
    },
    "service": {
        "type": "system"
    },
    "user": {
        "effective": {
            "group": {
                "id": "110"
            },
            "id": "106"
        },
        "group": {
            "id": "110",
            "name": "messagebus"
        },
        "id": "106",
        "name": "messagebus"
    }
}
{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "agent": {
        "ephemeral_id": "0101010-abcd-1234-a1b2c3d4e5f6g7h8",
        "hostname": "fame",
        "id": "0101010-abcd-1234-a1b2c3d4e5f6g7h8",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    },
    "auditbeat": {
        "message": "Process postgres (PID: 1234) by user postgres is RUNNING"
    },
    "auditd": {
        "user": {
            "saved": {
                "group": {
                    "id": "121"
                },
                "id": "114"
            }
        }
    },
    "event": {
        "action": "existing_process",
        "category": [
            "process"
        ],
        "dataset": "process",
        "id": "e9c16612-2053-4bc6-86aa-7e04c6114ecc",
        "kind": "state",
        "module": "system",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "fame"
    },
    "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"service\":{\"type\":\"system\"},\"event\":{\"action\":\"existing_process\",\"id\":\"e9c16612-2053-4bc6-86aa-7e04c6114ecc\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\",\"category\":[\"process\"],\"type\":[\"info\"]},\"process\":{\"executable\":\"/usr/lib/postgresql/9.5/bin/postgres\",\"entity_id\":\"1234zertyui\",\"ppid\":1231,\"start\":\"2021-01-01T00:01:01.000Z\",\"name\":\"postgres\",\"pid\":1234,\"working_directory\":\"/var/lib/postgresql/9.5/main\",\"hash\":{\"sha1\":\"12345678901234567891234567890\"},\"args\":[\"postgres: wal writer process   \"]},\"host\":{\"name\":\"fame\"},\"agent\":{\"ephemeral_id\":\"0101010-abcd-1234-a1b2c3d4e5f6g7h8\",\"id\":\"0101010-abcd-1234-a1b2c3d4e5f6g7h8\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\",\"hostname\":\"fame\"},\"ecs\":{\"version\":\"1.9.0\"},\"message\":\"Process postgres (PID: 1234) by user postgres is RUNNING\",\"user\":{\"effective\":{\"group\":{\"id\":\"121\"},\"id\":\"114\"},\"saved\":{\"id\":\"114\",\"group\":{\"id\":\"121\"}},\"name\":\"postgres\",\"id\":\"114\",\"group\":{\"id\":\"121\",\"name\":\"postgres\"}}}",
    "process": {
        "args": [
            "postgres: wal writer process   "
        ],
        "entity_id": "1234zertyui",
        "executable": "/usr/lib/postgresql/9.5/bin/postgres",
        "hash": {
            "sha1": "12345678901234567891234567890"
        },
        "name": "postgres",
        "pid": 1234,
        "parent": {
            "pid": 1231
        },
        "start": "2021-01-01T00:01:01.000Z",
        "working_directory": "/var/lib/postgresql/9.5/main"
    },
    "service": {
        "type": "system"
    },
    "user": {
        "effective": {
            "group": {
                "id": "121"
            },
            "id": "114"
        },
        "group": {
            "id": "121",
            "name": "postgres"
        },
        "id": "114",
        "name": "postgres"
    }
}
{
    "@timestamp": "2021-01-01T00:01:01.000Z",
    "agent": {
        "ephemeral_id": "0101010-abcd-1234-a1b2c3d4e5f6g7h8",
        "hostname": "fame",
        "id": "123poi-99zz-4qzds099-qsd-azerty",
        "name": "fame",
        "type": "auditbeat",
        "version": "7.13.0"
    },
    "client": {
        "bytes": 70,
        "domain": "malware1.viralstudio.org",
        "ip": "255.255.255.1",
        "packets": 1,
        "port": 58855
    },
    "destination": {
        "bytes": 123,
        "ip": "8.8.8.8",
        "packets": 1,
        "port": 53
    },
    "ecs": {
        "version": "1.9.0"
    },
    "event": {
        "action": "network_flow",
        "category": [
            "network",
            "network_traffic"
        ],
        "dataset": "socket",
        "duration": 12345,
        "end": "2021-01-01T00:01:01.000Z",
        "kind": "event",
        "module": "system",
        "start": "2021-01-01T00:01:01.000Z",
        "type": [
            "info",
            "connection"
        ]
    },
    "group": {
        "id": "0",
        "name": "root"
    },
    "host": {
        "name": "fame"
    },
    "network": {
        "bytes": 210,
        "community_id": "azertyuiopsdfghjklm",
        "direction": "egress",
        "packets": 2,
        "transport": "udp",
        "type": "ipv4"
    },
    "process": {
        "args": [
            "smtp",
            "-t",
            "unix",
            "-u",
            "-c"
        ],
        "executable": "/usr/lib/postfix/sbin/smtp",
        "name": "smtp",
        "pid": 9876543,
        "command_line": "smtp -t unix -u -c"
    },
    "related": {
        "ip": [
            "255.255.255.1",
            "8.8.8.8"
        ],
        "user": [
            "root"
        ]
    },
    "server": {
        "bytes": 123,
        "ip": "8.8.8.8",
        "packets": 1,
        "port": 53
    },
    "service": {
        "type": "system"
    },
    "source": {
        "bytes": 70,
        "domain": "malware1.viralstudio.org",
        "ip": "255.255.255.1",
        "packets": 1,
        "port": 58855
    },
    "user": {
        "id": "0",
        "name": "root"
    }
}
{
    "@timestamp": "2021-11-09T16:17:55.149Z",
    "process": {
        "pid": 12416,
        "working_directory": "/home/NElD74Hc4MX8PjLF/Documents/Projets/Qh1HoDnBg4mYfHhi"
    },
    "event": {
        "category": [
            "process"
        ],
        "id": "5a4533a0-1493-4c8c-a77c-c11bcb6dad7c",
        "dialect_uuid": "1b730d40-efc3-4d5d-b2e1-88bec50279b4",
        "kind": "event",
        "module": "auditd",
        "action": "ran-command",
        "type": [
            "start"
        ],
        "outcome": "success",
        "hash": "d0bbb264b6b96f6d62736c1af94d8b83b3b6ad3f",
        "created": "2021-08-20",
        "dialect": "auditbeat"
    },
    "sekoiaio": {
        "intake": {
            "parsing_status": "success",
            "dialect_uuid": "021e9def-5a55-4369-941e-af269b45bef1",
            "dialect": "auditbeat"
        },
        "entity": {
            "id": "Qh1HoDnBg4mYfHhi",
            "uuid": "0b326c92-cdae-4149-818d-7d2e24864eff",
            "name": "3utjzQNc3uN2iAL7"
        },
        "customer": {
            "id": "d5afec27-90be-43b0-8b6a-902b1ae1ee42",
            "community_name": "kBugMo5Or8YMCmmi",
            "community_uuid": "de723233-a1db-4c72-a0a8-3a14df6e9154"
        }
    },
    "message": "{\"@timestamp\":\"2021-11-09T16:17:55.149Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"event\":{\"kind\":\"event\",\"type\":[\"start\"],\"module\":\"auditd\",\"category\":[\"process\"],\"action\":\"ran-command\",\"outcome\":\"success\"},\"user\":{\"id\":\"4e8ff660-f139-4248-8b64-ad29495fca9e\",\"name\":\"NElD74Hc4MX8PjLF\",\"audit\":{\"id\":\"4e8ff660-f139-4248-8b64-ad29495fca9e\",\"name\":\"NElD74Hc4MX8PjLF\"}},\"host\":{\"hostname\":\"web-66\",\"architecture\":\"x86_64\",\"os\":{\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\",\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\"},\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false,\"ip\":[\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\",\"173.8.126.146\"],\"name\":\"web-66\",\"mac\":[\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\",\"57:4c:ff:5d:1e:41\"]},\"agent\":{\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"web-66\",\"type\":\"auditbeat\",\"version\":\"7.15.1\",\"hostname\":\"web-66\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\"},\"ecs\":{\"version\":\"1.11.0\"},\"process\":{\"pid\":12416,\"working_directory\":\"/home/NElD74Hc4MX8PjLF/Documents/Projets/Qh1HoDnBg4mYfHhi\"},\"auditd\":{\"data\":{\"terminal\":\"pts/3\",\"cmd\":\"systemctl status auditbeat\"},\"session\":\"2\",\"summary\":{\"actor\":{\"primary\":\"NElD74Hc4MX8PjLF\",\"secondary\":\"NElD74Hc4MX8PjLF\"},\"object\":{\"primary\":\"systemctl status auditbeat\",\"type\":\"process\"}},\"message_type\":\"user_cmd\",\"sequence\":465,\"result\":\"success\"},\"service\":{\"type\":\"auditd\"}}",
    "related": {
        "ip": [
            "173.8.126.146"
        ],
        "hash": [
            "d0bbb264b6b96f6d62736c1af94d8b83b3b6ad3f"
        ],
        "user": [
            "NElD74Hc4MX8PjLF"
        ],
        "hosts": [
            "web-66"
        ]
    },
    "agent": {
        "type": "auditbeat",
        "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81",
        "name": "web-66",
        "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a",
        "version": "7.15.1",
        "hostname": "web-66"
    },
    "user": {
        "id": "4e8ff660-f139-4248-8b64-ad29495fca9e",
        "name": "NElD74Hc4MX8PjLF",
        "audit": {
            "id": "4e8ff660-f139-4248-8b64-ad29495fca9e",
            "name": "NElD74Hc4MX8PjLF"
        }
    },
    "ecs": {
        "version": "1.10.0"
    },
    "service": {
        "type": "auditd"
    },
    "host": {
        "hostname": "web-66",
        "id": "7dd912136af040e4a6ea4f683010b824",
        "mac": [
            "57:4c:ff:5d:1e:41"
        ],
        "name": "web-66",
        "containerized": false,
        "architecture": "x86_64",
        "ip": [
            "173.8.126.146"
        ],
        "os": {
            "type": "linux",
            "name": "Ubuntu",
            "family": "debian",
            "version": "18.04.6 LTS (Bionic Beaver)",
            "kernel": "4.15.0-161-generic",
            "platform": "ubuntu",
            "codename": "bionic"
        }
    },
    "auditd": {
        "data": {
            "terminal": "pts/3",
            "cmd": "systemctl status auditbeat"
        },
        "session": "2",
        "summary": {
            "actor": {
                "primary": "NElD74Hc4MX8PjLF",
                "secondary": "NElD74Hc4MX8PjLF"
            },
            "object": {
                "primary": "systemctl status auditbeat",
                "type": "process"
            }
        },
        "message_type": "user_cmd",
        "sequence": 465,
        "result": "success"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
agent.build.original keyword Extended build information for the agent.
agent.ephemeral_id keyword Ephemeral identifier of this agent.
agent.hostname keyword None
agent.id keyword Unique identifier of this agent.
agent.name keyword Custom name of the agent.
agent.type keyword Type of the agent.
agent.version keyword Version of the agent.
as.number long None
as.organization.name keyword None
as.organization.name.text text None
auditbeat.event.original keyword None
auditbeat.labels text None
auditbeat.message text None
auditbeat.tags text None
auditbeat.timezone keyword None
auditd.data.a0 keyword None
auditd.data.a1 keyword None
auditd.data.a2 keyword None
auditd.data.a3 keyword None
auditd.data.a[0-3] keyword None
auditd.data.acct keyword None
auditd.data.acl keyword None
auditd.data.action keyword None
auditd.data.added keyword None
auditd.data.addr keyword None
auditd.data.apparmor keyword None
auditd.data.arch keyword None
auditd.data.argc keyword None
auditd.data.audit_backlog_limit keyword None
auditd.data.audit_backlog_wait_time keyword None
auditd.data.audit_enabled keyword None
auditd.data.audit_failure keyword None
auditd.data.banners keyword None
auditd.data.bool keyword None
auditd.data.bus keyword None
auditd.data.cap_fe keyword None
auditd.data.cap_fi keyword None
auditd.data.cap_fp keyword None
auditd.data.cap_fver keyword None
auditd.data.cap_pe keyword None
auditd.data.cap_pi keyword None
auditd.data.cap_pp keyword None
auditd.data.capability keyword None
auditd.data.cgroup keyword None
auditd.data.changed keyword None
auditd.data.cipher keyword None
auditd.data.class keyword None
auditd.data.cmd keyword None
auditd.data.code keyword None
auditd.data.compat keyword None
auditd.data.daddr keyword None
auditd.data.data keyword None
auditd.data.default-context keyword None
auditd.data.device keyword None
auditd.data.dir keyword None
auditd.data.direction keyword None
auditd.data.dmac keyword None
auditd.data.dport keyword None
auditd.data.enforcing keyword None
auditd.data.entries keyword None
auditd.data.exit keyword None
auditd.data.fam keyword None
auditd.data.family keyword None
auditd.data.fd keyword None
auditd.data.fe keyword None
auditd.data.feature keyword None
auditd.data.fi keyword None
auditd.data.file keyword None
auditd.data.flags keyword None
auditd.data.format keyword None
auditd.data.fp keyword None
auditd.data.fver keyword None
auditd.data.grantors keyword None
auditd.data.grp keyword None
auditd.data.hook keyword None
auditd.data.hostname keyword None
auditd.data.icmp_type keyword None
auditd.data.id keyword None
auditd.data.igid keyword None
auditd.data.img-ctx keyword None
auditd.data.inif keyword None
auditd.data.ino keyword None
auditd.data.inode_gid keyword None
auditd.data.inode_uid keyword None
auditd.data.invalid_context keyword None
auditd.data.ioctlcmd keyword None
auditd.data.ip keyword None
auditd.data.ipid keyword None
auditd.data.ipx-net keyword None
auditd.data.items keyword None
auditd.data.iuid keyword None
auditd.data.kernel keyword None
auditd.data.kind keyword None
auditd.data.ksize keyword None
auditd.data.laddr keyword None
auditd.data.len keyword None
auditd.data.list keyword None
auditd.data.lport keyword None
auditd.data.mac keyword None
auditd.data.macproto keyword None
auditd.data.maj keyword None
auditd.data.major keyword None
auditd.data.minor keyword None
auditd.data.model keyword None
auditd.data.msg keyword None
auditd.data.nargs keyword None
auditd.data.net keyword None
auditd.data.new keyword None
auditd.data.new-chardev keyword None
auditd.data.new-disk keyword None
auditd.data.new-enabled keyword None
auditd.data.new-fs keyword None
auditd.data.new-level keyword None
auditd.data.new-log_passwd keyword None
auditd.data.new-mem keyword None
auditd.data.new-net keyword None
auditd.data.new-range keyword None
auditd.data.new-rng keyword None
auditd.data.new-role keyword None
auditd.data.new-seuser keyword None
auditd.data.new-vcpu keyword None
auditd.data.new_gid keyword None
auditd.data.new_lock keyword None
auditd.data.new_pe keyword None
auditd.data.new_pi keyword None
auditd.data.new_pp keyword None
auditd.data.nlnk-fam keyword None
auditd.data.nlnk-grp keyword None
auditd.data.nlnk-pid keyword None
auditd.data.oauid keyword None
auditd.data.obj keyword None
auditd.data.obj_gid keyword None
auditd.data.obj_uid keyword None
auditd.data.ocomm keyword None
auditd.data.oflag keyword None
auditd.data.old keyword None
auditd.data.old-auid keyword None
auditd.data.old-chardev keyword None
auditd.data.old-disk keyword None
auditd.data.old-enabled keyword None
auditd.data.old-fs keyword None
auditd.data.old-level keyword None
auditd.data.old-log_passwd keyword None
auditd.data.old-mem keyword None
auditd.data.old-net keyword None
auditd.data.old-range keyword None
auditd.data.old-rng keyword None
auditd.data.old-role keyword None
auditd.data.old-ses keyword None
auditd.data.old-seuser keyword None
auditd.data.old-vcpu keyword None
auditd.data.old_enforcing keyword None
auditd.data.old_lock keyword None
auditd.data.old_pe keyword None
auditd.data.old_pi keyword None
auditd.data.old_pp keyword None
auditd.data.old_prom keyword None
auditd.data.old_val keyword None
auditd.data.op keyword None
auditd.data.opid keyword None
auditd.data.oses keyword None
auditd.data.outif keyword None
auditd.data.parent keyword None
auditd.data.per keyword None
auditd.data.perm keyword None
auditd.data.perm_mask keyword None
auditd.data.permissive keyword None
auditd.data.pfs keyword None
auditd.data.printer keyword None
auditd.data.prom keyword None
auditd.data.proto keyword None
auditd.data.qbytes keyword None
auditd.data.range keyword None
auditd.data.reason keyword None
auditd.data.removed keyword None
auditd.data.res keyword None
auditd.data.resrc keyword None
auditd.data.rport keyword None
auditd.data.sauid keyword None
auditd.data.scontext keyword None
auditd.data.selected-context keyword None
auditd.data.seperm keyword None
auditd.data.seperms keyword None
auditd.data.seqno keyword None
auditd.data.seresult keyword None
auditd.data.ses keyword None
auditd.data.seuser keyword None
auditd.data.sig keyword None
auditd.data.sigev_signo keyword None
auditd.data.smac keyword None
auditd.data.socket.addr keyword None
auditd.data.socket.family keyword None
auditd.data.socket.path keyword None
auditd.data.socket.port keyword None
auditd.data.socket.saddr keyword None
auditd.data.spid keyword None
auditd.data.sport keyword None
auditd.data.state keyword None
auditd.data.subj keyword None
auditd.data.success keyword None
auditd.data.syscall keyword None
auditd.data.table keyword None
auditd.data.tclass keyword None
auditd.data.tcontext keyword None
auditd.data.terminal keyword None
auditd.data.tty keyword None
auditd.data.unit keyword None
auditd.data.uri keyword None
auditd.data.uuid keyword None
auditd.data.val keyword None
auditd.data.ver keyword None
auditd.data.virt keyword None
auditd.data.vm keyword None
auditd.data.vm-ctx keyword None
auditd.data.vm-pid keyword None
auditd.data.watch keyword None
auditd.message_type keyword None
auditd.paths nested None
auditd.result keyword None
auditd.sequence long None
auditd.session keyword None
auditd.summary.actor.primary keyword None
auditd.summary.actor.secondary keyword None
auditd.summary.how keyword None
auditd.summary.object.primary keyword None
auditd.summary.object.secondary keyword None
auditd.summary.object.type keyword None
auditd.user.saved.group.id keyword None
auditd.user.saved.group.name keyword None
auditd.user.saved.id keyword None
auditd.user.saved.name keyword None
client.address keyword Client network address.
client.as.number long Unique number allocated to the autonomous system.
client.as.organization.name keyword Organization name.
client.as.organization.name.text text None
client.bytes long Bytes sent from the client to the server.
client.domain keyword The domain name of the client.
client.geo.city_name keyword City name.
client.geo.continent_code keyword Continent code.
client.geo.continent_name keyword Name of the continent.
client.geo.country_iso_code keyword Country ISO code.
client.geo.country_name keyword Country name.
client.geo.location geo_point Longitude and latitude.
client.geo.name keyword User-defined description of a location.
client.geo.postal_code keyword Postal code.
client.geo.region_iso_code keyword Region ISO code.
client.geo.region_name keyword Region name.
client.geo.timezone keyword Time zone.
client.ip ip IP address of the client.
client.mac keyword MAC address of the client.
client.nat.ip ip Client NAT ip address
client.nat.port long Client NAT port
client.packets long Packets sent from the client to the server.
client.port long Port of the client.
client.registered_domain keyword The highest registered client domain, stripped of the subdomain.
client.subdomain keyword The subdomain of the domain.
client.top_level_domain keyword The effective top level domain (com, org, net, co.uk).
client.user.domain keyword Name of the directory the user is a member of.
client.user.email keyword User email address.
client.user.full_name keyword User's full name, if available.
client.user.full_name.text text None
client.user.group.domain keyword Name of the directory the group is a member of.
client.user.group.id keyword Unique identifier for the group on the system/platform.
client.user.group.name keyword Name of the group.
client.user.hash keyword Unique user hash to correlate information for a user in anonymized form.
client.user.id keyword Unique identifier of the user.
client.user.name keyword Short name or login of the user.
client.user.name.text text None
client.user.roles keyword Array of user roles at the time of the event.
cloud.account.id keyword The cloud account or organization id.
cloud.account.name keyword The cloud account name.
cloud.availability_zone keyword Availability zone in which this host, resource, or service is located.
cloud.image.id keyword None
cloud.instance.id keyword Instance ID of the host machine.
cloud.instance.name keyword Instance name of the host machine.
cloud.machine.type keyword Machine type of the host machine.
cloud.project.id keyword The cloud project id.
cloud.project.name keyword The cloud project name.
cloud.provider keyword Name of the cloud provider.
cloud.region keyword Region in which this host, resource, or service is located.
cloud.service.name keyword The cloud service name.
code_signature.exists boolean None
code_signature.signing_id keyword None
code_signature.status keyword None
code_signature.subject_name keyword None
code_signature.team_id keyword None
code_signature.trusted boolean None
code_signature.valid boolean None
container.id keyword Unique container id.
container.image.name keyword Name of the image the container was built on.
container.image.tag keyword Container image tags.
container.labels object Image labels.
container.name keyword Container name.
container.runtime keyword Runtime managing this container.
data_stream.dataset constant_keyword The field can contain anything that makes sense to signify the source of the data.
data_stream.namespace constant_keyword A user defined namespace. Namespaces are useful to allow grouping of data.
data_stream.type constant_keyword An overarching type for the data stream.
destination.address keyword Destination network address.
destination.as.number long Unique number allocated to the autonomous system.
destination.as.organization.name keyword Organization name.
destination.as.organization.name.text text None
destination.bytes long Bytes sent from the destination to the source.
destination.domain keyword The domain name of the destination.
destination.geo.city_name keyword City name.
destination.geo.continent_code keyword Continent code.
destination.geo.continent_name keyword Name of the continent.
destination.geo.country_iso_code keyword Country ISO code.
destination.geo.country_name keyword Country name.
destination.geo.location geo_point Longitude and latitude.
destination.geo.name keyword User-defined description of a location.
destination.geo.postal_code keyword Postal code.
destination.geo.region_iso_code keyword Region ISO code.
destination.geo.region_name keyword Region name.
destination.geo.timezone keyword Time zone.
destination.ip ip IP address of the destination.
destination.mac keyword MAC address of the destination.
destination.nat.ip ip Destination NAT ip
destination.nat.port long Destination NAT Port
destination.packets long Packets sent from the destination to the source.
destination.path keyword None
destination.port long Port of the destination.
destination.registered_domain keyword The highest registered destination domain, stripped of the subdomain.
destination.subdomain keyword The subdomain of the domain.
destination.top_level_domain keyword The effective top level domain (com, org, net, co.uk).
destination.user.domain keyword Name of the directory the user is a member of.
destination.user.email keyword User email address.
destination.user.full_name keyword User's full name, if available.
destination.user.full_name.text text None
destination.user.group.domain keyword Name of the directory the group is a member of.
destination.user.group.id keyword Unique identifier for the group on the system/platform.
destination.user.group.name keyword Name of the group.
destination.user.hash keyword Unique user hash to correlate information for a user in anonymized form.
destination.user.id keyword Unique identifier of the user.
destination.user.name keyword Short name or login of the user.
destination.user.name.text text None
destination.user.roles keyword Array of user roles at the time of the event.
dll.code_signature.exists boolean Boolean to capture if a signature is present.
dll.code_signature.signing_id keyword The identifier used to sign the process.
dll.code_signature.status keyword Additional information about the certificate status.
dll.code_signature.subject_name keyword Subject name of the code signer
dll.code_signature.team_id keyword The team identifier used to sign the process.
dll.code_signature.trusted boolean Stores the trust status of the certificate chain.
dll.code_signature.valid boolean Boolean to capture if the digital signature is verified against the binary content.
dll.hash.md5 keyword MD5 hash.
dll.hash.sha1 keyword SHA1 hash.
dll.hash.sha256 keyword SHA256 hash.
dll.hash.sha512 keyword SHA512 hash.
dll.hash.ssdeep keyword SSDEEP hash.
dll.name keyword Name of the library.
dll.path keyword Full file path of the library.
dll.pe.architecture keyword CPU architecture target for the file.
dll.pe.company keyword Internal company name of the file, provided at compile-time.
dll.pe.description keyword Internal description of the file, provided at compile-time.
dll.pe.file_version keyword Process name.
dll.pe.imphash keyword A hash of the imports in a PE file.
dll.pe.original_file_name keyword Internal name of the file, provided at compile-time.
dll.pe.product keyword Internal product name of the file, provided at compile-time.
dns.answers object Array of DNS answers.
dns.answers.class keyword The class of DNS data contained in this resource record.
dns.answers.data keyword The data describing the resource.
dns.answers.name keyword The domain name to which this resource record pertains.
dns.answers.ttl long The time interval in seconds that this resource record may be cached before it should be discarded.
dns.answers.type keyword The type of data contained in this resource record.
dns.header_flags keyword Array of DNS header flags.
dns.id keyword The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
dns.op_code keyword The DNS operation code that specifies the kind of query in the message.
dns.question.class keyword The class of records being queried.
dns.question.name keyword The name being queried.
dns.question.registered_domain keyword The highest registered domain, stripped of the subdomain.
dns.question.subdomain keyword The subdomain of the domain.
dns.question.top_level_domain keyword The effective top level domain (com, org, net, co.uk).
dns.question.type keyword The type of record being queried.
dns.resolved_ip ip Array containing all IPs seen in answers.data
dns.response_code keyword The DNS response code.
dns.type keyword The type of DNS event captured, query or answer.
docker.container.labels object None
ecs.version keyword ECS version this event conforms to.
error.code keyword Error code describing the error.
error.id keyword Unique identifier for the error.
error.message match_only_text Error message.
error.stack_trace wildcard The stack trace of this error in plain text.
error.stack_trace.text text None
error.type keyword The type of the error, for example the class name of the exception.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.created date Time when the event was first read by an agent or by your pipeline.
event.dataset keyword Name of the dataset.
event.duration long Duration of the event in nanoseconds.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.hash keyword Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
event.id keyword Unique ID to describe the event.
event.ingested date Timestamp when an event arrived in the central data store.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.module keyword Name of the module this data is coming from.
event.origin keyword None
event.original keyword Raw text message of entire event.
event.outcome keyword The outcome of the event. The lowest level categorization field in the hierarchy.
event.provider keyword Source of the event.
event.reason keyword Reason why this event happened, according to the source
event.reference keyword Event reference URL
event.risk_score float Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
event.risk_score_norm float Normalized risk score or priority of the event (0-100).
event.sequence long Sequence number of the event.
event.severity long Numeric severity of the event.
event.start date event.start contains the date when the event started or when the activity was first observed.
event.timezone keyword Event time zone.
event.type keyword Event type. The third categorization field in the hierarchy.
event.url keyword Event investigation URL
fields object None
file.accessed date Last time the file was accessed.
file.attributes keyword Array of file attributes.
file.code_signature.exists boolean Boolean to capture if a signature is present.
file.code_signature.signing_id keyword The identifier used to sign the process.
file.code_signature.status keyword Additional information about the certificate status.
file.code_signature.subject_name keyword Subject name of the code signer
file.code_signature.team_id keyword The team identifier used to sign the process.
file.code_signature.trusted boolean Stores the trust status of the certificate chain.
file.code_signature.valid boolean Boolean to capture if the digital signature is verified against the binary content.
file.created date File creation time.
file.ctime date Last time the file attributes or metadata changed.
file.device keyword Device that is the source of the file.
file.directory keyword Directory where the file is located.
file.drive_letter keyword Drive letter where the file is located.
file.extension keyword File extension, excluding the leading dot.
file.gid keyword Primary group ID (GID) of the file.
file.group keyword Primary group name of the file.
file.hash.md5 keyword MD5 hash.
file.hash.sha1 keyword SHA1 hash.
file.hash.sha256 keyword SHA256 hash.
file.hash.sha512 keyword SHA512 hash.
file.hash.ssdeep keyword SSDEEP hash.
file.inode keyword Inode representing the file in the filesystem.
file.mime_type keyword Media type of file, document, or arrangement of bytes.
file.mode keyword Mode of the file in octal representation.
file.mtime date Last time the file content was modified.
file.name keyword Name of the file including the extension, without the directory.
file.origin keyword None
file.origin.text text None
file.owner keyword File owner's username.
file.path keyword Full path to the file, including the file name.
file.path.text text None
file.pe.architecture keyword CPU architecture target for the file.
file.pe.company keyword Internal company name of the file, provided at compile-time.
file.pe.description keyword Internal description of the file, provided at compile-time.
file.pe.file_version keyword Process name.
file.pe.imphash keyword A hash of the imports in a PE file.
file.pe.original_file_name keyword Internal name of the file, provided at compile-time.
file.pe.product keyword Internal product name of the file, provided at compile-time.
file.selinux.domain keyword None
file.selinux.level keyword None
file.selinux.role keyword None
file.selinux.user keyword None
file.setgid boolean None
file.setuid boolean None
file.size long File size in bytes.
file.target_path keyword Target path for symlinks.
file.target_path.text text None
file.type keyword File type (file, dir, or symlink).
file.uid keyword The user ID (UID) or security identifier (SID) of the file owner.
file.x509.alternative_names keyword List of subject alternative names (SAN).
file.x509.issuer.common_name keyword List of common name (CN) of issuing certificate authority.
file.x509.issuer.country keyword List of country (C) codes
file.x509.issuer.distinguished_name keyword Distinguished name (DN) of issuing certificate authority.
file.x509.issuer.locality keyword List of locality names (L)
file.x509.issuer.organization keyword List of organizations (O) of issuing certificate authority.
file.x509.issuer.organizational_unit keyword List of organizational units (OU) of issuing certificate authority.
file.x509.issuer.state_or_province keyword List of state or province names (ST, S, or P)
file.x509.not_after date Time at which the certificate is no longer considered valid.
file.x509.not_before date Time at which the certificate is first considered valid.
file.x509.public_key_algorithm keyword Algorithm used to generate the public key.
file.x509.public_key_curve keyword The curve used by the elliptic curve public key algorithm. This is algorithm specific.
file.x509.public_key_exponent long Exponent used to derive the public key. This is algorithm specific.
file.x509.public_key_size long The size of the public key space in bits.
file.x509.serial_number keyword Unique serial number issued by the certificate authority.
file.x509.signature_algorithm keyword Identifier for certificate signature algorithm.
file.x509.subject.common_name keyword List of common names (CN) of subject.
file.x509.subject.country keyword List of country (C) code
file.x509.subject.distinguished_name keyword Distinguished name (DN) of the certificate subject entity.
file.x509.subject.locality keyword List of locality names (L)
file.x509.subject.organization keyword List of organizations (O) of subject.
file.x509.subject.organizational_unit keyword List of organizational units (OU) of subject.
file.x509.subject.state_or_province keyword List of state or province names (ST, S, or P)
file.x509.version_number keyword Version of x509 format.
geo.city_name keyword None
geo.continent_code keyword None
geo.continent_name keyword None
geo.country_iso_code keyword None
geo.country_name keyword None
geo.location geo_point None
geo.name keyword None
geo.postal_code keyword None
geo.region_iso_code keyword None
geo.region_name keyword None
geo.timezone keyword None
geoip.city_name keyword None
geoip.continent_name keyword None
geoip.country_iso_code keyword None
geoip.location geo_point None
geoip.region_name keyword None
group.domain keyword Name of the directory the group is a member of.
group.id keyword Unique identifier for the group on the system/platform.
group.name keyword Name of the group.
hash.blake2b_256 keyword None
hash.blake2b_384 keyword None
hash.blake2b_512 keyword None
hash.md5 keyword None
hash.sha1 keyword None
hash.sha224 keyword None
hash.sha256 keyword None
hash.sha384 keyword None
hash.sha3_224 keyword None
hash.sha3_256 keyword None
hash.sha3_384 keyword None
hash.sha3_512 keyword None
hash.sha512 keyword None
hash.sha512_224 keyword None
hash.sha512_256 keyword None
hash.ssdeep keyword None
hash.xxh64 keyword None
host.architecture keyword Operating system architecture.
host.containerized boolean None
host.cpu.usage scaled_float Percent CPU used, between 0 and 1.
host.disk.read.bytes long The number of bytes read by all disks.
host.disk.write.bytes long The number of bytes written on all disks.
host.domain keyword Name of the directory the group is a member of.
host.geo.city_name keyword City name.
host.geo.continent_code keyword Continent code.
host.geo.continent_name keyword Name of the continent.
host.geo.country_iso_code keyword Country ISO code.
host.geo.country_name keyword Country name.
host.geo.location geo_point Longitude and latitude.
host.geo.name keyword User-defined description of a location.
host.geo.postal_code keyword Postal code.
host.geo.region_iso_code keyword Region ISO code.
host.geo.region_name keyword Region name.
host.geo.timezone keyword Time zone.
host.hostname keyword Hostname of the host.
host.id keyword Unique host id.
host.ip ip Host ip addresses.
host.mac keyword Host MAC addresses.
host.name keyword Name of the host.
host.network.egress.bytes long The number of bytes sent on all network interfaces.
host.network.egress.packets long The number of packets sent on all network interfaces.
host.network.ingress.bytes long The number of bytes received on all network interfaces.
host.network.ingress.packets long The number of packets received on all network interfaces.
host.os.build keyword None
host.os.codename keyword None
host.os.family keyword OS family (such as redhat, debian, freebsd, windows).
host.os.full keyword Operating system name, including the version or code name.
host.os.full.text text None
host.os.kernel keyword Operating system kernel version as a raw string.
host.os.name keyword Operating system name, without the version.
host.os.name.text text None
host.os.platform keyword Operating system platform (such centos, ubuntu, windows).
host.os.type keyword Which commercial OS family (one of: linux, macos, unix or windows).
host.os.version keyword Operating system version as a raw string.
host.type keyword Type of host.
host.uptime long Seconds the host has been up.
host.user.full_name.text text None
host.user.name.text text None
http.request.body.bytes long Size in bytes of the request body.
http.request.body.content wildcard The full HTTP request body.
http.request.body.content.text text None
http.request.bytes long Total size in bytes of the request (body and headers).
http.request.id keyword HTTP request ID.
http.request.method keyword HTTP request method.
http.request.mime_type keyword Mime type of the body of the request.
http.request.referrer keyword Referrer for this HTTP request.
http.response.body.bytes long Size in bytes of the response body.
http.response.body.content wildcard The full HTTP response body.
http.response.body.content.text text None
http.response.bytes long Total size in bytes of the response (body and headers).
http.response.mime_type keyword Mime type of the body of the response.
http.response.status_code long HTTP response status code.
http.version keyword HTTP version.
interface.alias keyword None
interface.id keyword None
interface.name keyword None
jolokia.agent.id keyword None
jolokia.agent.version keyword None
jolokia.secured boolean None
jolokia.server.product keyword None
jolokia.server.vendor keyword None
jolokia.server.version keyword None
jolokia.url keyword None
kubernetes.annotations text None
kubernetes.container.name keyword None
kubernetes.deployment.name keyword None
kubernetes.labels text None
kubernetes.namespace keyword None
kubernetes.node.hostname keyword None
kubernetes.node.name keyword None
kubernetes.pod.ip ip None
kubernetes.pod.name keyword None
kubernetes.pod.uid keyword None
kubernetes.replicaset.name keyword None
kubernetes.selectors text None
kubernetes.statefulset.name keyword None
log.file.path keyword Full path to the log file this event came from.
log.level keyword Log level of the log event.
log.logger keyword Name of the logger.
log.origin.file.line long The line number of the file which originated the log event.
log.origin.file.name keyword The code file which originated the log event.
log.origin.function keyword The function which originated the log event.
log.syslog object Syslog metadata
log.syslog.facility.code long Syslog numeric facility of the event.
log.syslog.facility.name keyword Syslog text-based facility of the event.
log.syslog.priority long Syslog priority of the event.
log.syslog.severity.code long Syslog numeric severity of the event.
log.syslog.severity.name keyword Syslog text-based severity of the event.
network.application keyword Application level protocol name.
network.bytes long Total bytes transferred in both directions.
network.community_id keyword A hash of source and destination IPs and ports.
network.direction keyword Direction of the network traffic.
network.forwarded_ip ip Host IP address when the source IP address is the proxy.
network.iana_number keyword IANA Protocol Number.
network.inner object Inner VLAN tag information
network.inner.vlan.id keyword VLAN ID as reported by the observer.
network.inner.vlan.name keyword Optional VLAN name as reported by the observer.
network.name keyword Name given by operators to sections of their network.
network.packets long Total packets transferred in both directions.
network.protocol keyword Application protocol name.
network.transport keyword Protocol Name corresponding to the field iana_number.
network.type keyword In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
network.vlan.id keyword VLAN ID as reported by the observer.
network.vlan.name keyword Optional VLAN name as reported by the observer.
observer.egress object Object field for egress information
observer.egress.interface.alias keyword Interface alias
observer.egress.interface.id keyword Interface ID
observer.egress.interface.name keyword Interface name
observer.egress.vlan.id keyword VLAN ID as reported by the observer.
observer.egress.vlan.name keyword Optional VLAN name as reported by the observer.
observer.egress.zone keyword Observer Egress zone
observer.geo.city_name keyword City name.
observer.geo.continent_code keyword Continent code.
observer.geo.continent_name keyword Name of the continent.
observer.geo.country_iso_code keyword Country ISO code.
observer.geo.country_name keyword Country name.
observer.geo.location geo_point Longitude and latitude.
observer.geo.name keyword User-defined description of a location.
observer.geo.postal_code keyword Postal code.
observer.geo.region_iso_code keyword Region ISO code.
observer.geo.region_name keyword Region name.
observer.geo.timezone keyword Time zone.
observer.hostname keyword Hostname of the observer.
observer.ingress object Object field for ingress information
observer.ingress.interface.alias keyword Interface alias
observer.ingress.interface.id keyword Interface ID
observer.ingress.interface.name keyword Interface name
observer.ingress.vlan.id keyword VLAN ID as reported by the observer.
observer.ingress.vlan.name keyword Optional VLAN name as reported by the observer.
observer.ingress.zone keyword Observer ingress zone
observer.ip ip IP addresses of the observer.
observer.mac keyword MAC addresses of the observer.
observer.name keyword Custom name of the observer.
observer.os.family keyword OS family (such as redhat, debian, freebsd, windows).
observer.os.full keyword Operating system name, including the version or code name.
observer.os.full.text text None
observer.os.kernel keyword Operating system kernel version as a raw string.
observer.os.name keyword Operating system name, without the version.
observer.os.name.text text None
observer.os.platform keyword Operating system platform (such centos, ubuntu, windows).
observer.os.type keyword Which commercial OS family (one of: linux, macos, unix or windows).
observer.os.version keyword Operating system version as a raw string.
observer.product keyword The product name of the observer.
observer.serial_number keyword Observer serial number.
observer.type keyword The type of the observer the data is coming from.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
orchestrator.api_version keyword API version being used to carry out the action
orchestrator.cluster.name keyword Name of the cluster.
orchestrator.cluster.url keyword URL of the API used to manage the cluster.
orchestrator.cluster.version keyword The version of the cluster.
orchestrator.namespace keyword Namespace in which the action is taking place.
orchestrator.organization keyword Organization affected by the event (for multi-tenant orchestrator setups).
orchestrator.resource.name keyword Name of the resource being acted upon.
orchestrator.resource.type keyword Type of resource being acted upon.
orchestrator.type keyword Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
organization.id keyword Unique identifier for the organization.
organization.name keyword Organization name.
organization.name.text text None
os.family keyword None
os.full keyword None
os.full.text text None
os.kernel keyword None
os.name keyword None
os.name.text text None
os.platform keyword None
os.type keyword None
os.version keyword None
package.architecture keyword Package architecture.
package.build_version keyword Build version information
package.checksum keyword Checksum of the installed package for verification.
package.description keyword Description of the package.
package.install_scope keyword Indicating how the package was installed, e.g. user-local, global.
package.installed date Time when package was installed.
package.license keyword Package license
package.name keyword Package name
package.path keyword Path where the package is installed.
package.reference keyword Package home page or reference URL
package.size long Package size in bytes.
package.type keyword Package type
package.version keyword Package version
pe.architecture keyword None
pe.company keyword None
pe.description keyword None
pe.file_version keyword None
pe.imphash keyword None
pe.original_file_name keyword None
pe.product keyword None
process.args keyword Array of process arguments.
process.args_count long Length of the process.args array.
process.code_signature.exists boolean Boolean to capture if a signature is present.
process.code_signature.signing_id keyword The identifier used to sign the process.
process.code_signature.status keyword Additional information about the certificate status.
process.code_signature.subject_name keyword Subject name of the code signer
process.code_signature.team_id keyword The team identifier used to sign the process.
process.code_signature.trusted boolean Stores the trust status of the certificate chain.
process.code_signature.valid boolean Boolean to capture if the digital signature is verified against the binary content.
process.command_line wildcard Full command line that started the process.
process.command_line.text text None
process.entity_id keyword Unique identifier for the process.
process.executable keyword Absolute path to the process executable.
process.executable.text text None
process.exit_code long The exit code of the process.
process.hash.blake2b_256 keyword None
process.hash.blake2b_384 keyword None
process.hash.blake2b_512 keyword None
process.hash.md5 keyword MD5 hash.
process.hash.sha1 keyword SHA1 hash.
process.hash.sha224 keyword None
process.hash.sha256 keyword SHA256 hash.
process.hash.sha384 keyword None
process.hash.sha3_224 keyword None
process.hash.sha3_256 keyword None
process.hash.sha3_384 keyword None
process.hash.sha3_512 keyword None
process.hash.sha512 keyword SHA512 hash.
process.hash.sha512_224 keyword None
process.hash.sha512_256 keyword None
process.hash.ssdeep keyword SSDEEP hash.
process.hash.xxh64 keyword None
process.name keyword Process name.
process.name.text text None
process.parent.args keyword Array of process arguments.
process.parent.args_count long Length of the process.args array.
process.parent.code_signature.exists boolean Boolean to capture if a signature is present.
process.parent.code_signature.signing_id keyword The identifier used to sign the process.
process.parent.code_signature.status keyword Additional information about the certificate status.
process.parent.code_signature.subject_name keyword Subject name of the code signer
process.parent.code_signature.team_id keyword The team identifier used to sign the process.
process.parent.code_signature.trusted boolean Stores the trust status of the certificate chain.
process.parent.code_signature.valid boolean Boolean to capture if the digital signature is verified against the binary content.
process.parent.command_line wildcard Full command line that started the process.
process.parent.command_line.text text None
process.parent.entity_id keyword Unique identifier for the process.
process.parent.executable keyword Absolute path to the process executable.
process.parent.executable.text text None
process.parent.exit_code long The exit code of the process.
process.parent.hash.md5 keyword MD5 hash.
process.parent.hash.sha1 keyword SHA1 hash.
process.parent.hash.sha256 keyword SHA256 hash.
process.parent.hash.sha512 keyword SHA512 hash.
process.parent.hash.ssdeep keyword SSDEEP hash.
process.parent.name keyword Process name.
process.parent.name.text text None
process.parent.pe.architecture keyword CPU architecture target for the file.
process.parent.pe.company keyword Internal company name of the file, provided at compile-time.
process.parent.pe.description keyword Internal description of the file, provided at compile-time.
process.parent.pe.file_version keyword Process name.
process.parent.pe.imphash keyword A hash of the imports in a PE file.
process.parent.pe.original_file_name keyword Internal name of the file, provided at compile-time.
process.parent.pe.product keyword Internal product name of the file, provided at compile-time.
process.parent.pgid long Identifier of the group of processes the process belongs to.
process.parent.pid long Process id.
process.parent.start date The time the process started.
process.parent.thread.id long Thread ID.
process.parent.thread.name keyword Thread name.
process.parent.title keyword Process title.
process.parent.title.text text None
process.parent.uptime long Seconds the process has been up.
process.parent.working_directory keyword The working directory of the process.
process.parent.working_directory.text text None
process.pe.architecture keyword CPU architecture target for the file.
process.pe.company keyword Internal company name of the file, provided at compile-time.
process.pe.description keyword Internal description of the file, provided at compile-time.
process.pe.file_version keyword Process name.
process.pe.imphash keyword A hash of the imports in a PE file.
process.pe.original_file_name keyword Internal name of the file, provided at compile-time.
process.pe.product keyword Internal product name of the file, provided at compile-time.
process.pgid long Identifier of the group of processes the process belongs to.
process.pid long Process id.
process.start date The time the process started.
process.thread.id long Thread ID.
process.thread.name keyword Thread name.
process.title keyword Process title.
process.title.text text None
process.uptime long Seconds the process has been up.
process.working_directory keyword The working directory of the process.
process.working_directory.text text None
registry.data.bytes keyword Original bytes written with base64 encoding.
registry.data.strings wildcard List of strings representing what was written to the registry.
registry.data.type keyword Standard registry type for encoding contents
registry.hive keyword Abbreviated name for the hive.
registry.key keyword Hive-relative path of keys.
registry.path keyword Full path, including hive, key and value
registry.value keyword Name of the value written.
related.hash keyword All the hashes seen on your event.
related.hosts keyword All the host identifiers seen on your event.
related.ip ip All of the IPs seen on your event.
related.user keyword All the user names or other user identifiers seen on the event.
rule.author keyword Rule author
rule.category keyword Rule category
rule.description keyword Rule description
rule.id keyword Rule ID
rule.license keyword Rule license
rule.name keyword Rule name
rule.reference keyword Rule reference URL
rule.ruleset keyword Rule ruleset
rule.uuid keyword Rule UUID
rule.version keyword Rule version
server.address keyword Server network address.
server.as.number long Unique number allocated to the autonomous system.
server.as.organization.name keyword Organization name.
server.as.organization.name.text text None
server.bytes long Bytes sent from the server to the client.
server.domain keyword The domain name of the server.
server.geo.city_name keyword City name.
server.geo.continent_code keyword Continent code.
server.geo.continent_name keyword Name of the continent.
server.geo.country_iso_code keyword Country ISO code.
server.geo.country_name keyword Country name.
server.geo.location geo_point Longitude and latitude.
server.geo.name keyword User-defined description of a location.
server.geo.postal_code keyword Postal code.
server.geo.region_iso_code keyword Region ISO code.
server.geo.region_name keyword Region name.
server.geo.timezone keyword Time zone.
server.ip ip IP address of the server.
server.mac keyword MAC address of the server.
server.nat.ip ip Server NAT ip
server.nat.port long Server NAT port
server.packets long Packets sent from the server to the client.
server.port long Port of the server.
server.registered_domain keyword The highest registered server domain, stripped of the subdomain.
server.subdomain keyword The subdomain of the domain.
server.top_level_domain keyword The effective top level domain (com, org, net, co.uk).
server.user.domain keyword Name of the directory the user is a member of.
server.user.email keyword User email address.
server.user.full_name keyword User's full name, if available.
server.user.full_name.text text None
server.user.group.domain keyword Name of the directory the group is a member of.
server.user.group.id keyword Unique identifier for the group on the system/platform.
server.user.group.name keyword Name of the group.
server.user.hash keyword Unique user hash to correlate information for a user in anonymized form.
server.user.id keyword Unique identifier of the user.
server.user.name keyword Short name or login of the user.
server.user.name.text text None
server.user.roles keyword Array of user roles at the time of the event.
service.ephemeral_id keyword Ephemeral identifier of this service.
service.id keyword Unique identifier of the running service.
service.name keyword Name of the service.
service.node.name keyword Name of the service node.
service.state keyword Current state of the service.
service.type keyword The type of the service.
service.version keyword Version of the service.
socket.entity_id keyword None
source.address keyword Source network address.
source.as.number long Unique number allocated to the autonomous system.
source.as.organization.name keyword Organization name.
source.as.organization.name.text text None
source.bytes long Bytes sent from the source to the destination.
source.domain keyword The domain name of the source.
source.geo.city_name keyword City name.
source.geo.continent_code keyword Continent code.
source.geo.continent_name keyword Name of the continent.
source.geo.country_iso_code keyword Country ISO code.
source.geo.country_name keyword Country name.
source.geo.location geo_point Longitude and latitude.
source.geo.name keyword User-defined description of a location.
source.geo.postal_code keyword Postal code.
source.geo.region_iso_code keyword Region ISO code.
source.geo.region_name keyword Region name.
source.geo.timezone keyword Time zone.
source.ip ip IP address of the source.
source.mac keyword MAC address of the source.
source.nat.ip ip Source NAT ip
source.nat.port long Source NAT port
source.packets long Packets sent from the source to the destination.
source.path keyword None
source.port long Port of the source.
source.registered_domain keyword The highest registered source domain, stripped of the subdomain.
source.subdomain keyword The subdomain of the domain.
source.top_level_domain keyword The effective top level domain (com, org, net, co.uk).
source.user.domain keyword Name of the directory the user is a member of.
source.user.email keyword User email address.
source.user.full_name keyword User's full name, if available.
source.user.full_name.text text None
source.user.group.domain keyword Name of the directory the group is a member of.
source.user.group.id keyword Unique identifier for the group on the system/platform.
source.user.group.name keyword Name of the group.
source.user.hash keyword Unique user hash to correlate information for a user in anonymized form.
source.user.id keyword Unique identifier of the user.
source.user.name keyword Short name or login of the user.
source.user.name.text text None
source.user.roles keyword Array of user roles at the time of the event.
span.id keyword Unique identifier of the span within the scope of its trace.
system.audit.host.architecture keyword None
system.audit.host.boottime date None
system.audit.host.containerized boolean None
system.audit.host.hostname keyword None
system.audit.host.id keyword None
system.audit.host.ip ip None
system.audit.host.mac keyword None
system.audit.host.os.codename keyword None
system.audit.host.os.family keyword None
system.audit.host.os.kernel keyword None
system.audit.host.os.name keyword None
system.audit.host.os.platform keyword None
system.audit.host.os.type keyword None
system.audit.host.os.version keyword None
system.audit.host.timezone.name keyword None
system.audit.host.timezone.offset.sec long None
system.audit.host.uptime long None
system.audit.package.arch keyword None
system.audit.package.entity_id keyword None
system.audit.package.installtime date None
system.audit.package.license keyword None
system.audit.package.name keyword None
system.audit.package.release keyword None
system.audit.package.size long None
system.audit.package.summary keyword None
system.audit.package.url keyword None
system.audit.package.version keyword None
system.audit.user.dir keyword None
system.audit.user.gid keyword None
system.audit.user.group keyword None
system.audit.user.name keyword None
system.audit.user.shell keyword None
system.audit.user.user_information keyword None
threat.framework keyword Threat classification framework.
threat.tactic.id keyword Threat tactic id.
threat.tactic.name keyword Threat tactic.
threat.tactic.reference keyword Threat tactic URL reference.
threat.technique.id keyword Threat technique id.
threat.technique.name keyword Threat technique name.
threat.technique.name.text text None
threat.technique.reference keyword Threat technique URL reference.
threat.technique.subtechnique.id keyword Threat subtechnique id.
threat.technique.subtechnique.name keyword Threat subtechnique name.
threat.technique.subtechnique.name.text text None
threat.technique.subtechnique.reference keyword Threat subtechnique URL reference.
timeseries.instance keyword None
tls.cipher keyword String indicating the cipher used during the current connection.
tls.client.certificate keyword PEM-encoded stand-alone certificate offered by the client.
tls.client.certificate_chain keyword Array of PEM-encoded certificates that make up the certificate chain offered by the client.
tls.client.hash.md5 keyword Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
tls.client.hash.sha1 keyword Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
tls.client.hash.sha256 keyword Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
tls.client.issuer keyword Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
tls.client.ja3 keyword A hash that identifies clients based on how they perform an SSL/TLS handshake.
tls.client.not_after date Date/Time indicating when client certificate is no longer considered valid.
tls.client.not_before date Date/Time indicating when client certificate is first considered valid.
tls.client.server_name keyword Hostname the client is trying to connect to. Also called the SNI.
tls.client.subject keyword Distinguished name of subject of the x.509 certificate presented by the client.
tls.client.supported_ciphers keyword Array of ciphers offered by the client during the client hello.
tls.client.x509.alternative_names keyword List of subject alternative names (SAN).
tls.client.x509.issuer.common_name keyword List of common name (CN) of issuing certificate authority.
tls.client.x509.issuer.country keyword List of country (C) codes
tls.client.x509.issuer.distinguished_name keyword Distinguished name (DN) of issuing certificate authority.
tls.client.x509.issuer.locality keyword List of locality names (L)
tls.client.x509.issuer.organization keyword List of organizations (O) of issuing certificate authority.
tls.client.x509.issuer.organizational_unit keyword List of organizational units (OU) of issuing certificate authority.
tls.client.x509.issuer.state_or_province keyword List of state or province names (ST, S, or P)
tls.client.x509.not_after date Time at which the certificate is no longer considered valid.
tls.client.x509.not_before date Time at which the certificate is first considered valid.
tls.client.x509.public_key_algorithm keyword Algorithm used to generate the public key.
tls.client.x509.public_key_curve keyword The curve used by the elliptic curve public key algorithm. This is algorithm specific.
tls.client.x509.public_key_exponent long Exponent used to derive the public key. This is algorithm specific.
tls.client.x509.public_key_size long The size of the public key space in bits.
tls.client.x509.serial_number keyword Unique serial number issued by the certificate authority.
tls.client.x509.signature_algorithm keyword Identifier for certificate signature algorithm.
tls.client.x509.subject.common_name keyword List of common names (CN) of subject.
tls.client.x509.subject.country keyword List of country (C) code
tls.client.x509.subject.distinguished_name keyword Distinguished name (DN) of the certificate subject entity.
tls.client.x509.subject.locality keyword List of locality names (L)
tls.client.x509.subject.organization keyword List of organizations (O) of subject.
tls.client.x509.subject.organizational_unit keyword List of organizational units (OU) of subject.
tls.client.x509.subject.state_or_province keyword List of state or province names (ST, S, or P)
tls.client.x509.version_number keyword Version of x509 format.
tls.curve keyword String indicating the curve used for the given cipher, when applicable.
tls.established boolean Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
tls.next_protocol keyword String indicating the protocol being tunneled.
tls.resumed boolean Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
tls.server.certificate keyword PEM-encoded stand-alone certificate offered by the server.
tls.server.certificate_chain keyword Array of PEM-encoded certificates that make up the certificate chain offered by the server.
tls.server.hash.md5 keyword Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
tls.server.hash.sha1 keyword Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
tls.server.hash.sha256 keyword Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
tls.server.issuer keyword Subject of the issuer of the x.509 certificate presented by the server.
tls.server.ja3s keyword A hash that identifies servers based on how they perform an SSL/TLS handshake.
tls.server.not_after date Timestamp indicating when server certificate is no longer considered valid.
tls.server.not_before date Timestamp indicating when server certificate is first considered valid.
tls.server.subject keyword Subject of the x.509 certificate presented by the server.
tls.server.x509.alternative_names keyword List of subject alternative names (SAN).
tls.server.x509.issuer.common_name keyword List of common name (CN) of issuing certificate authority.
tls.server.x509.issuer.country keyword List of country (C) codes
tls.server.x509.issuer.distinguished_name keyword Distinguished name (DN) of issuing certificate authority.
tls.server.x509.issuer.locality keyword List of locality names (L)
tls.server.x509.issuer.organization keyword List of organizations (O) of issuing certificate authority.
tls.server.x509.issuer.organizational_unit keyword List of organizational units (OU) of issuing certificate authority.
tls.server.x509.issuer.state_or_province keyword List of state or province names (ST, S, or P)
tls.server.x509.not_after date Time at which the certificate is no longer considered valid.
tls.server.x509.not_before date Time at which the certificate is first considered valid.
tls.server.x509.public_key_algorithm keyword Algorithm used to generate the public key.
tls.server.x509.public_key_curve keyword The curve used by the elliptic curve public key algorithm. This is algorithm specific.
tls.server.x509.public_key_exponent long Exponent used to derive the public key. This is algorithm specific.
tls.server.x509.public_key_size long The size of the public key space in bits.
tls.server.x509.serial_number keyword Unique serial number issued by the certificate authority.
tls.server.x509.signature_algorithm keyword Identifier for certificate signature algorithm.
tls.server.x509.subject.common_name keyword List of common names (CN) of subject.
tls.server.x509.subject.country keyword List of country (C) code
tls.server.x509.subject.distinguished_name keyword Distinguished name (DN) of the certificate subject entity.
tls.server.x509.subject.locality keyword List of locality names (L)
tls.server.x509.subject.organization keyword List of organizations (O) of subject.
tls.server.x509.subject.organizational_unit keyword List of organizational units (OU) of subject.
tls.server.x509.subject.state_or_province keyword List of state or province names (ST, S, or P)
tls.server.x509.version_number keyword Version of x509 format.
tls.version keyword Numeric part of the version parsed from the original string.
tls.version_protocol keyword Normalized lowercase protocol name parsed from original string.
trace.id keyword Unique identifier of the trace.
transaction.id keyword Unique identifier of the transaction within the scope of its trace.
url.domain keyword Domain of the url.
url.extension keyword File extension from the request url, excluding the leading dot.
url.fragment keyword Portion of the url after the #.
url.full wildcard Full unparsed URL.
url.full.text text None
url.original wildcard Unmodified original url as seen in the event source.
url.original.text text None
url.password keyword Password of the request.
url.path wildcard Path of the request, such as "/search".
url.port long Port of the request, such as 443.
url.query keyword Query string of the request.
url.registered_domain keyword The highest registered url domain, stripped of the subdomain.
url.scheme keyword Scheme of the url.
url.subdomain keyword The subdomain of the domain.
url.top_level_domain keyword The effective top level domain (com, org, net, co.uk).
url.username keyword Username of the request.
user.audit.id keyword None
user.audit.name keyword None
user.changes.domain keyword Name of the directory the user is a member of.
user.changes.email keyword User email address.
user.changes.full_name keyword User's full name, if available.
user.changes.full_name.text text None
user.changes.group.domain keyword Name of the directory the group is a member of.
user.changes.group.id keyword Unique identifier for the group on the system/platform.
user.changes.group.name keyword Name of the group.
user.changes.hash keyword Unique user hash to correlate information for a user in anonymized form.
user.changes.id keyword Unique identifier of the user.
user.changes.name keyword Short name or login of the user.
user.changes.name.text text None
user.changes.roles keyword Array of user roles at the time of the event.
user.domain keyword Name of the directory the user is a member of.
user.effective.domain keyword Name of the directory the user is a member of.
user.effective.email keyword User email address.
user.effective.full_name keyword User's full name, if available.
user.effective.full_name.text text None
user.effective.group.domain keyword Name of the directory the group is a member of.
user.effective.group.id keyword Unique identifier for the group on the system/platform.
user.effective.group.name keyword Name of the group.
user.effective.hash keyword Unique user hash to correlate information for a user in anonymized form.
user.effective.id keyword Unique identifier of the user.
user.effective.name keyword Short name or login of the user.
user.effective.name.text text None
user.effective.roles keyword Array of user roles at the time of the event.
user.email keyword User email address.
user.entity_id keyword None
user.filesystem.group.id keyword None
user.filesystem.group.name keyword None
user.filesystem.id keyword None
user.filesystem.name keyword None
user.full_name keyword User's full name, if available.
user.full_name.text text None
user.group.domain keyword Name of the directory the group is a member of.
user.group.id keyword Unique identifier for the group on the system/platform.
user.group.name keyword Name of the group.
user.hash keyword Unique user hash to correlate information for a user in anonymized form.
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user.name.text text None
user.roles keyword Array of user roles at the time of the event.
user.selinux.category keyword None
user.selinux.domain keyword None
user.selinux.level keyword None
user.selinux.role keyword None
user.selinux.user keyword None
user.target.domain keyword Name of the directory the user is a member of.
user.target.email keyword User email address.
user.target.full_name keyword User's full name, if available.
user.target.full_name.text text None
user.target.group.domain keyword Name of the directory the group is a member of.
user.target.group.id keyword Unique identifier for the group on the system/platform.
user.target.group.name keyword Name of the group.
user.target.hash keyword Unique user hash to correlate information for a user in anonymized form.
user.target.id keyword Unique identifier of the user.
user.target.name keyword Short name or login of the user.
user.target.name.text text None
user.target.roles keyword Array of user roles at the time of the event.
user.terminal keyword None
user_agent.device.name keyword Name of the device.
user_agent.name keyword Name of the user agent.
user_agent.original keyword Unparsed user_agent string.
user_agent.original.text text None
user_agent.os.family keyword OS family (such as redhat, debian, freebsd, windows).
user_agent.os.full keyword Operating system name, including the version or code name.
user_agent.os.full.text text None
user_agent.os.kernel keyword Operating system kernel version as a raw string.
user_agent.os.name keyword Operating system name, without the version.
user_agent.os.name.text text None
user_agent.os.platform keyword Operating system platform (such centos, ubuntu, windows).
user_agent.os.type keyword Which commercial OS family (one of: linux, macos, unix or windows).
user_agent.os.version keyword Operating system version as a raw string.
user_agent.version keyword Version of the user agent.
vlan.id keyword None
vlan.name keyword None
vulnerability.category keyword Category of a vulnerability.
vulnerability.classification keyword Classification of the vulnerability.
vulnerability.description keyword Description of the vulnerability.
vulnerability.description.text text None
vulnerability.enumeration keyword Identifier of the vulnerability.
vulnerability.id keyword ID of the vulnerability.
vulnerability.reference keyword Reference of the vulnerability.
vulnerability.report_id keyword Scan identification number.
vulnerability.scanner.vendor keyword Name of the scanner vendor.
vulnerability.score.base float Vulnerability Base score.
vulnerability.score.environmental float Vulnerability Environmental score.
vulnerability.score.temporal float Vulnerability Temporal score.
vulnerability.score.version keyword CVSS version.
vulnerability.severity keyword Severity of the vulnerability.
x509.alternative_names keyword None
x509.issuer.common_name keyword None
x509.issuer.country keyword None
x509.issuer.distinguished_name keyword None
x509.issuer.locality keyword None
x509.issuer.organization keyword None
x509.issuer.organizational_unit keyword None
x509.issuer.state_or_province keyword None
x509.not_after date None
x509.not_before date None
x509.public_key_algorithm keyword None
x509.public_key_curve keyword None
x509.public_key_exponent long None
x509.public_key_size long None
x509.serial_number keyword None
x509.signature_algorithm keyword None
x509.subject.common_name keyword None
x509.subject.country keyword None
x509.subject.distinguished_name keyword None
x509.subject.locality keyword None
x509.subject.organization keyword None
x509.subject.organizational_unit keyword None
x509.subject.state_or_province keyword None
x509.version_number keyword None

Configure

Transport to the collector

Prerequisites

The following prerequisites are needed in order to setup efficient log concentration:

  • Have administrator privileges on the server
  • Traffic towards the log collector sever which is using Rsyslog must be open on port TCP/514

Configure the client

Install and configure Auditbeat

To download and install Auditbeat on a Debian based distributions (including Ubuntu, Linux Mint, etc.). Use the commands that work with your system:

curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.13.1-amd64.deb
sudo dpkg -i auditbeat-7.13.1-amd64.deb

To download and install Auditbeat on Fedory, CentOS or Red Hat Enterprise Linux, use the commands that work with your system:

curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.13.1-x86_64.rpm
sudo rpm -vi auditbeat-7.13.1-x86_64.rpm

Modify the version number with the newest one.

Auditbeat uses modules to collect audit information. By default, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.

Replace the configuration file /etc/auditbeat/auditbeat.yml by the following content:

########################## Auditbeat Configuration #############################

# =========================== Modules configuration ============================
auditbeat.modules:

# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false

  # Load audit rules
  audit_rules: |
    ## Example of audit rules here. Comment what is NOT needed
    ## Executions.
    -a always,exit -F arch=b64 -S execve,execveat -k exec

    ## External access (warning: these can be expensive to audit).
    -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

    ## Identity changes.
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity

    ## Unauthorized access attempts.
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

# The file integrity module sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /var/spool/cron/crontabs
  - /etc/cron.d
  - /etc/cron.daily
  - /etc/cron.hourly
  - /etc/cron.monthly
  - /etc/cron.weekly


  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]

  # Detect changes to files included in subdirectories. Disabled by default.
  recursive: false

- module: system
  datasets:
    - package   # Installed, updated, and removed packages
  period: 2m

- module: system
  datasets:
    - host      # General host information, e.g. uptime, IPs
    - login     # User logins, logouts, and system boots.
    - process   # Started and stopped processes
    - socket    # Opened and closed sockets
    - user      # User information


  user.detect_password_changes: true

# ================================== Outputs ===================================
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  enabled: false

# -------------------------------- File Output ---------------------------------
output.file:
  enabled: true

  # Configure JSON encoding
  codec.json:
    #pretty: false
    # Configure escaping HTML symbols in strings.
    #escape_html: false

  # Path to the directory where to save the generated files.
  path: "/tmp/auditbeat"
  filename: auditbeat
  rotate_every_kb: 10000
  number_of_files: 7
  permissions: 0600

# =================================== Paths ====================================

path.home: "/usr/share/auditbeat/bin"
path.config: "/etc/auditbeat"
path.data: "/var/lib/auditbeat"
path.logs: "/var/log/auditbeat"

# ================================== Template ==================================

# Elasticsearch template settings
setup.template.settings:
  # A dictionary of settings to place into the settings.index dictionary
  index:
    number_of_shards: 1
    #codec: best_compression

# ================================== Logging ===================================

logging.level: info

logging.to_files: true
logging.files:
  path: /var/log/auditbeat
  name: auditbeat
  rotateeverybytes: 10485760 # = 10MB
  keepfiles: 7
  permissions: 0600

Don't forget to set the right level of permission of the new auditbeat.yml if you edited a new one. sudo chmod 0600 auditbeat.yml Plus in this case ensure the owner of the file is root: sudo chown root:root auditbeat.yml

Auditbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:

sudo auditbeat -e

If no error occurs, use Ctrl + C to stop running it in the terminal.

Start Auditbeat with the following command:

sudo systemctl restart auditbeat.service

Check your logs in /tmp/auditbeat/auditbeat in JSON format. It may be recommended to set up logrotate for the Auditbeat logs generated in /tmp/auditbeat.

Configure local Rsyslog service

In order to allow the rsyslog to work properly, please ensure the following packages are installed:

sudo apt install rsyslog

Settup a light client rsyslog by editing the /etc/rsyslog.conf file.

### Create a dedicated Rsyslog configuration file
module(load="imuxsock")                                 # provides support for local system logging
module(load="imklog" permitnonkernelfacility="on")      # provides kernel logging support

# Set the maximum supported message size
$MaxMessageSize 20k

# Use traditional timestamp format.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Set the default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

$ActionQueueType LinkedList     # create a queue stored in the RAM
$ActionQueueFileName sek_fwd    # set up the prefix for writting
$ActionQueueMaxDiskSpace 5g     # allow 5 giga of storage for the buffer
$ActionQueueSaveOnShutdown on   # write on disk is the rsyslog is whut down
$ActionResumeRetryCount -1      # prevent the rsyslog from droping the logs if the connexion is interrupted

# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf

# Rules
*.*          -/var/log/syslog

Please ensure, options $PrivDropToUser syslog and $PrivDropToGroup syslog are removed, otherwise rsyslog process could not read auditbeat output.

And add a dedicated configuration file for the Auditbeat logs in /etc/rsyslog.d/8-linux_auditbeat.conf to be sent to a log concentrator.

module(load="imfile" PollingInterval="10")              #needs to be done just once
input(type="imfile"
      File="/tmp/auditbeat/auditbeat"
      Tag="linux_auditbeat"
      Severity="info"
      Facility="local7")

if ($syslogtag contains 'linux_auditbeat') then {
     action(
         type="omfwd"
         protocol="tcp"
         target="YOUR_RSYSLOG_DESTINATION_SERVER"
         port="514"
         TCP_Framing="octet-counted"
     )
}

Don't forget to change the value of YOUR_RSYSLOG_DESTINATION_SERVER in the bottom of the rsyslog.conf file

Restart Rsyslog
sudo systemctl restart rsyslog.service

Transport to SEKOIA.IO

The reader is invited to consult the Rsyslog Transport documentation to transport logs to SEKOIA.IO.

Enjoy your events

Go to the events page to watch your incoming events.

Back to top