The Events page exposes a search capability to investigate and hunt on your events. The search queries must follow the events query language. Type your search query in the box above the list of events to find expected events.
Fields
The Tables below detail the main fields that can be used to narrow down your search. Events are normalized to use the Elastic Common Schema (ECS) Reference. Custom fields can also be used and are listed in the Integrations section.
Action
name
type
description
action.id
number
Action unique identifier
action.name
string
Name of the action
action.outcome
string
Outcome status of the action
SEKOIA.IO
name
type
description
sekoiaio.entity.name
string
Name of the entity
sekoiaio.entity.uuid
string
Unique identifier of the entity
sekoiaio.intake.key
string
The intake key
sekoiaio.intake.name
string
Name of the intake
sekoiaio.intake.dialect
string
Name of the intake format
sekoiaio.intake.dialect_uuid
string
UUID of the intake format
sekoiaio.intake.parsing_status
string
The parsing status (success or failure)
sekoiaio.intake.parsing_error
string
The parsing error (if any)
Network
name
type
description
network.protocol
string
L7 Network protocol name. ex. http, lumberjack, transport protocol.
network.transport
string
Protocol Name corresponding to the field iana_number.
Destination
name
type
description
destination.ip
string
IP address of the destination. (IPv4 or IPv6)
destination.port
number
Port of the destination
destination.domain
string
Destination domain
destination.packets
number
Packets sent from the destination to the source.
Source
name
type
description
source.ip
string
IP address of the source. (IPv4 or IPv6)
source.port
number
Port of the source
source.domain
string
Source domain
source.packets
number
Packets sent from the source to the destination.
HTTP
name
type
description
http.request.method
string
HTTP request method
http.response.status_code
string
HTTP response status code
URL
name
type
description
url.original
string
Unmodified original url as seen in the event source.
url.full
string
Full unparsed URL.
DNS
name
type
description
dns.question.name
string
The name being queried.
dns.question.type
string
The type of record being queried.
dns.response_code
string
The DNS response code.
User
name
type
description
user.id
string
Unique identifier of the user.
user.name
string
Short name or login of the user.
user.email
string
User email address.
User Agent
name
type
description
user_agent.original
string
Unparsed user_agent string.
Process
name
type
description
process.pid
number
Process Id
process.name
string
Process name
process.executable
string
Absolute path to the process executable.
process.cmdline
string
Full command line that started the process.
process.working_directory
string
he working directory of the process.
process.ppid
number
Parent process' pid.
process.parent.name
string
Parent process' name
process.parent.executable
string
Parent process' executable
Example
Get valid events, that are neither apache nor nginx logs:
sekoiaio.intake.parsing_status:"success" AND NOT(sekoiaio.intake.dialect:"apache" OR sekoiaio.intake.dialect:"nginx")