Amazon Security Lake

Collect logs from Amazon Security Lake with Elastic Agent.


Version	1.1.0 (View all)
Compatible Kibana version(s)	8.12.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Elastic

This Amazon Security Lake integration helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization. With Security Lake, you can also improve the protection of your workloads, applications, and data.

Security Lake automates the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources.

The Amazon Security Lake integration can be used in two different modes to collect data:

AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files.
AWS S3 SQS mode: Amazon Security Lake writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode.

Compatibility

This module follows the latest OCSF Schema Version v1.0.0.

Data streams

The Amazon Security Lake integration collects logs from both Third-party services and AWS services in an event data stream.

NOTE:

The Amazon Security Lake integration supports events collected from AWS services and third-party services.

Requirements

Elastic Agent must be installed.
Elastic Agent is required to stream data from Amazon Security Lake and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.

Setup

To collect data from Amazon Security Lake follow the below steps:

To enable and start Amazon Security Lake, follow the steps mentioned here: https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html.
After creating data lake, follow below steps to create a data subscribers to consume data.
- Open the Security Lake console.
- By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to create the subscriber.
- In the navigation pane, choose Subscribers.
- On the Subscribers page, choose Create subscriber.
- For Subscriber details, enter Subscriber name and an optional Description.
- For Log and event sources, choose which sources the subscriber is authorized to consume.
- For Data access method, choose S3 to set up data access for the subscriber.
- For Subscriber credentials, provide the subscriber's AWS account ID and external ID.
- For Notification details, select SQS queue.
- Choose Create.
Above mentioned steps will create and provide required details such as IAM roles/AWS role ID, external id and queue url to configure AWS Security Lake Integration.

Enabling the integration in Elastic:

In Kibana go to Management > Integrations.
In "Search for integrations" search bar, type Amazon Security Lake.
Click on the "Amazon Security Lake" integration from the search results.
Click on the Add Amazon Security Lake Integration button to add the integration.
By default collect logs via S3 Bucket toggle will be off and collect logs for AWS SQS.
While adding the integration, if you want to collect logs via AWS SQS, then you have to put the following details:
- queue url
- collect logs via S3 Bucket toggled off
- role ARN
- external id
or if you want to collect logs via AWS S3, then you have to put the following details:
- bucket arn
- collect logs via S3 Bucket toggled on
- role ARN
- external id

NOTE:

There are other input combination options available, please check here.
Metrics are not part of the Amazon Security Lake integration.
Events are included in the Amazon Security Lake integration.
Service checks are not incorporated into the Amazon Security Lake integration.
To troubleshoot, ensure that the IAM role in your AWS account has the correct permissions.

Logs reference

Event

This is the Event dataset.

Example

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset.	constant_keyword
event.module	Event module.	constant_keyword
input.type	Type of filebeat input.	keyword
log.offset	Log offset.	long
ocsf.access_mask	The access mask in a platform-native format.	long
ocsf.activity_id	The normalized identifier of the activity that triggered the event.	keyword
ocsf.activity_name	The event activity name, as defined by the activity_id.	keyword
ocsf.actor.authorizations.decision	Authorization Result/outcome, e.g. allowed, denied.	keyword
ocsf.actor.authorizations.policy.desc	The description of the policy.	keyword
ocsf.actor.authorizations.policy.group.desc	The group description.	keyword
ocsf.actor.authorizations.policy.group.name	The group name.	keyword
ocsf.actor.authorizations.policy.group.privileges	The group privileges.	keyword
ocsf.actor.authorizations.policy.group.type	The type of the group or account.	keyword
ocsf.actor.authorizations.policy.group.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.authorizations.policy.name	The policy name. For example: IAM Policy.	keyword
ocsf.actor.authorizations.policy.uid	A unique identifier of the policy instance.	keyword
ocsf.actor.authorizations.policy.version	The policy version number.	keyword
ocsf.actor.idp.name	The name of the identity provider.	keyword
ocsf.actor.idp.uid	The unique identifier of the identity provider.	keyword
ocsf.actor.invoked_by	The name of the service that invoked the activity as described in the event.	keyword
ocsf.actor.process.auid	The audit user assigned at login by the audit subsystem.	keyword
ocsf.actor.process.cmd_line	The full command line used to launch an application, service, process, or job.	keyword
ocsf.actor.process.container.hash.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.container.hash.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.container.hash.value	The digital fingerprint value.	keyword
ocsf.actor.process.container.image.labels	The image labels.	keyword
ocsf.actor.process.container.image.name	The image name.	keyword
ocsf.actor.process.container.image.path	The full path to the image file.	keyword
ocsf.actor.process.container.image.tag	The tag used by the container. It can indicate version, format, OS.	keyword
ocsf.actor.process.container.image.uid	The unique image ID.	keyword
ocsf.actor.process.container.name	The container name.	keyword
ocsf.actor.process.container.network_driver	The network driver used by the container. For example, bridge, overlay, host, none, etc.	keyword
ocsf.actor.process.container.orchestrator	The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.	keyword
ocsf.actor.process.container.pod_uuid	The unique identifier of the pod (or equivalent) that the container is executing on.	keyword
ocsf.actor.process.container.runtime	The backend running the container, such as containerd or cri-o.	keyword
ocsf.actor.process.container.size	The size of the container image.	long
ocsf.actor.process.container.tag	The tag used by the container. It can indicate version, format, OS.	keyword
ocsf.actor.process.container.uid	The full container unique identifier for this instantiation of the container.	keyword
ocsf.actor.process.created_time	The time when the process was created/started.	date
ocsf.actor.process.created_time_dt	The time when the process was created/started.	date
ocsf.actor.process.egid	The effective group under which this process is running.	keyword
ocsf.actor.process.euid	The effective user under which this process is running.	keyword
ocsf.actor.process.file.accessed_time	The time when the file was last accessed.	date
ocsf.actor.process.file.accessed_time_dt	The time when the file was last accessed.	date
ocsf.actor.process.file.accessor.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.file.accessor.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.accessor.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.file.accessor.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.file.accessor.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.file.accessor.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.file.accessor.email_addr	The user's email address.	keyword
ocsf.actor.process.file.accessor.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.file.accessor.groups.desc	The group description.	keyword
ocsf.actor.process.file.accessor.groups.name	The group name.	keyword
ocsf.actor.process.file.accessor.groups.privileges	The group privileges.	keyword
ocsf.actor.process.file.accessor.groups.type	The type of the group or account.	keyword
ocsf.actor.process.file.accessor.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.file.accessor.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.file.accessor.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.file.accessor.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.file.accessor.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.file.accessor.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.file.accessor.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.file.accessor.type_id	The account type identifier.	keyword
ocsf.actor.process.file.accessor.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.file.accessor.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.file.attributes	The Bitmask value that represents the file attributes.	long
ocsf.actor.process.file.company_name	The name of the company that published the file. For example: Microsoft Corporation.	keyword
ocsf.actor.process.file.confidentiality	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.confidentiality_id	The normalized identifier of the file content confidentiality indicator.	keyword
ocsf.actor.process.file.created_time	The time when the file was created.	date
ocsf.actor.process.file.created_time_dt	The time when the file was created.	date
ocsf.actor.process.file.creator.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.file.creator.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.creator.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.file.creator.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.file.creator.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.file.creator.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.file.creator.email_addr	The user's email address.	keyword
ocsf.actor.process.file.creator.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.file.creator.groups.desc	The group description.	keyword
ocsf.actor.process.file.creator.groups.name	The group name.	keyword
ocsf.actor.process.file.creator.groups.privileges	The group privileges.	keyword
ocsf.actor.process.file.creator.groups.type	The type of the group or account.	keyword
ocsf.actor.process.file.creator.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.file.creator.name	The name of the city.	keyword
ocsf.actor.process.file.creator.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.file.creator.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.file.creator.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.file.creator.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.file.creator.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.file.creator.type_id	The account type identifier.	keyword
ocsf.actor.process.file.creator.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.file.creator.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.file.desc	The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.	keyword
ocsf.actor.process.file.hashes.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.hashes.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.file.hashes.value	The digital fingerprint value.	keyword
ocsf.actor.process.file.is_system	The indication of whether the object is part of the operating system.	boolean
ocsf.actor.process.file.mime_type	The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.	keyword
ocsf.actor.process.file.modified_time	The time when the file was last modified.	date
ocsf.actor.process.file.modified_time_dt	The time when the file was last modified.	date
ocsf.actor.process.file.modifier.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.file.modifier.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.modifier.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.file.modifier.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.file.modifier.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.file.modifier.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.file.modifier.email_addr	The image name. For example: elixir.	keyword
ocsf.actor.process.file.modifier.full_name	The user's email address.	keyword
ocsf.actor.process.file.modifier.groups.desc	The group description.	keyword
ocsf.actor.process.file.modifier.groups.name	The group name.	keyword
ocsf.actor.process.file.modifier.groups.privileges	The group privileges.	keyword
ocsf.actor.process.file.modifier.groups.type	The type of the group or account.	keyword
ocsf.actor.process.file.modifier.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.file.modifier.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.file.modifier.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.file.modifier.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.file.modifier.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.file.modifier.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.file.modifier.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.file.modifier.type_id	The account type identifier.	keyword
ocsf.actor.process.file.modifier.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.file.modifier.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.file.name	The name of the file. For example: svchost.exe.	keyword
ocsf.actor.process.file.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.file.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.file.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.file.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.file.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.file.owner.email_addr	The user's email address.	keyword
ocsf.actor.process.file.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.file.owner.groups.desc	The group description.	keyword
ocsf.actor.process.file.owner.groups.name	The group name.	keyword
ocsf.actor.process.file.owner.groups.privileges	The group privileges.	keyword
ocsf.actor.process.file.owner.groups.type	The type of the group or account.	keyword
ocsf.actor.process.file.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.file.owner.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.file.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.file.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.file.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.file.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.file.owner.type	The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.file.owner.type_id	The account type identifier.	keyword
ocsf.actor.process.file.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.file.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.file.parent_folder	The parent folder in which the file resides. For example: c:\windows\system32.	keyword
ocsf.actor.process.file.path	The full path to the file. For example: c:\windows\system32\svchost.exe.	keyword
ocsf.actor.process.file.product.feature.name	The name of the feature.	keyword
ocsf.actor.process.file.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.actor.process.file.product.feature.version	The version of the feature.	keyword
ocsf.actor.process.file.product.lang	The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.actor.process.file.product.name	The name of the feature.	keyword
ocsf.actor.process.file.product.path	The installation path of the product.	keyword
ocsf.actor.process.file.product.uid	The unique identifier of the feature.	keyword
ocsf.actor.process.file.product.url_string	The URL pointing towards the product.	keyword
ocsf.actor.process.file.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.actor.process.file.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.actor.process.file.security_descriptor	The object security descriptor.	keyword
ocsf.actor.process.file.signature.algorithm	The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.signature.algorithm_id	The identifier of the normalized digital signature algorithm.	keyword
ocsf.actor.process.file.signature.certificate.created_time	The time when the certificate was created.	date
ocsf.actor.process.file.signature.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.actor.process.file.signature.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.actor.process.file.signature.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.actor.process.file.signature.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.file.signature.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.actor.process.file.signature.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.actor.process.file.signature.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.actor.process.file.signature.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.actor.process.file.signature.certificate.version	The certificate version.	keyword
ocsf.actor.process.file.signature.created_time	The time when the digital signature was created.	date
ocsf.actor.process.file.signature.created_time_dt	The time when the digital signature was created.	date
ocsf.actor.process.file.signature.developer_uid	The developer ID on the certificate that signed the file.	keyword
ocsf.actor.process.file.signature.digest.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.file.signature.digest.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.file.signature.digest.value	The digital fingerprint value.	keyword
ocsf.actor.process.file.size	The size of data, in bytes.	long
ocsf.actor.process.file.type	The file type.	keyword
ocsf.actor.process.file.type_id	The file type ID.	keyword
ocsf.actor.process.file.uid	The unique identifier of the file as defined by the storage system, such the file system file ID.	keyword
ocsf.actor.process.file.version	The file version. For example: 8.0.7601.17514.	keyword
ocsf.actor.process.file.xattributes	An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.	flattened
ocsf.actor.process.group.desc	The group description.	keyword
ocsf.actor.process.group.name	The group name.	keyword
ocsf.actor.process.group.privileges	The group privileges.	keyword
ocsf.actor.process.group.type	The type of the group or account.	keyword
ocsf.actor.process.group.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.integrity	The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).	keyword
ocsf.actor.process.integrity_id	The normalized identifier of the process integrity level (Windows only).	keyword
ocsf.actor.process.lineage	The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].	keyword
ocsf.actor.process.loaded_modules	The list of loaded module names.	keyword
ocsf.actor.process.name	The friendly name of the process, for example: Notepad++.	keyword
ocsf.actor.process.namespace_pid	If running under a process namespace (such as in a container), the process identifier within that process namespace.	long
ocsf.actor.process.parent_process.auid	The audit user assigned at login by the audit subsystem.	keyword
ocsf.actor.process.parent_process.cmd_line	The full command line used to launch an application, service, process, or job.	keyword
ocsf.actor.process.parent_process.container.hash.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.container.hash.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.parent_process.container.hash.value	The digital fingerprint value.	keyword
ocsf.actor.process.parent_process.container.image.labels	The image labels.	keyword
ocsf.actor.process.parent_process.container.image.name	The image name.	keyword
ocsf.actor.process.parent_process.container.image.path	The full path to the image file.	keyword
ocsf.actor.process.parent_process.container.image.tag	The tag used by the container. It can indicate version, format, OS.	keyword
ocsf.actor.process.parent_process.container.image.uid	The unique image ID.	keyword
ocsf.actor.process.parent_process.container.name	The container name.	keyword
ocsf.actor.process.parent_process.container.network_driver	The network driver used by the container. For example, bridge, overlay, host, none, etc.	keyword
ocsf.actor.process.parent_process.container.orchestrator	The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.	keyword
ocsf.actor.process.parent_process.container.pod_uuid	The unique identifier of the pod (or equivalent) that the container is executing on.	keyword
ocsf.actor.process.parent_process.container.runtime	The backend running the container, such as containerd or cri-o.	keyword
ocsf.actor.process.parent_process.container.size	The size of the container image.	long
ocsf.actor.process.parent_process.container.tag	The tag used by the container. It can indicate version, format, OS.	keyword
ocsf.actor.process.parent_process.container.uid	The full container unique identifier for this instantiation of the container.	keyword
ocsf.actor.process.parent_process.created_time	The time when the process was created/started.	date
ocsf.actor.process.parent_process.created_time_dt	The time when the process was created/started.	date
ocsf.actor.process.parent_process.egid	The effective group under which this process is running.	keyword
ocsf.actor.process.parent_process.euid	The effective user under which this process is running.	keyword
ocsf.actor.process.parent_process.file.accessed_time	The time when the file was last accessed.	date
ocsf.actor.process.parent_process.file.accessed_time_dt	The time when the file was last accessed.	date
ocsf.actor.process.parent_process.file.accessor.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.parent_process.file.accessor.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.accessor.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.parent_process.file.accessor.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.parent_process.file.accessor.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.parent_process.file.accessor.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.parent_process.file.accessor.email_addr	The user's email address.	keyword
ocsf.actor.process.parent_process.file.accessor.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.parent_process.file.accessor.groups.desc	The group description.	keyword
ocsf.actor.process.parent_process.file.accessor.groups.name	The group name.	keyword
ocsf.actor.process.parent_process.file.accessor.groups.privileges	The group privileges.	keyword
ocsf.actor.process.parent_process.file.accessor.groups.type	The type of the group or account.	keyword
ocsf.actor.process.parent_process.file.accessor.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.parent_process.file.accessor.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.parent_process.file.accessor.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.parent_process.file.accessor.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.parent_process.file.accessor.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.parent_process.file.accessor.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.parent_process.file.accessor.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.parent_process.file.accessor.type_id	The account type identifier.	keyword
ocsf.actor.process.parent_process.file.accessor.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.parent_process.file.accessor.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.parent_process.file.attributes	The Bitmask value that represents the file attributes.	long
ocsf.actor.process.parent_process.file.company_name	The name of the company that published the file. For example: Microsoft Corporation.	keyword
ocsf.actor.process.parent_process.file.confidentiality	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.confidentiality_id	The normalized identifier of the file content confidentiality indicator.	keyword
ocsf.actor.process.parent_process.file.created_time	The time when the file was created.	date
ocsf.actor.process.parent_process.file.created_time_dt	The time when the file was created.	date
ocsf.actor.process.parent_process.file.creator.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.parent_process.file.creator.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.creator.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.parent_process.file.creator.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.parent_process.file.creator.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.parent_process.file.creator.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.parent_process.file.creator.email_addr	The user's email address.	keyword
ocsf.actor.process.parent_process.file.creator.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.parent_process.file.creator.groups.desc	The group description.	keyword
ocsf.actor.process.parent_process.file.creator.groups.name	The group name.	keyword
ocsf.actor.process.parent_process.file.creator.groups.privileges	The group privileges.	keyword
ocsf.actor.process.parent_process.file.creator.groups.type	The type of the group or account.	keyword
ocsf.actor.process.parent_process.file.creator.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.parent_process.file.creator.name	The name of the city.	keyword
ocsf.actor.process.parent_process.file.creator.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.parent_process.file.creator.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.parent_process.file.creator.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.parent_process.file.creator.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.parent_process.file.creator.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.parent_process.file.creator.type_id	The account type identifier.	keyword
ocsf.actor.process.parent_process.file.creator.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.parent_process.file.creator.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.parent_process.file.desc	The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.	keyword
ocsf.actor.process.parent_process.file.hashes.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.hashes.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.parent_process.file.hashes.value	The digital fingerprint value.	keyword
ocsf.actor.process.parent_process.file.is_system	The indication of whether the object is part of the operating system.	boolean
ocsf.actor.process.parent_process.file.mime_type	The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.	keyword
ocsf.actor.process.parent_process.file.modified_time	The time when the file was last modified.	date
ocsf.actor.process.parent_process.file.modified_time_dt	The time when the file was last modified.	date
ocsf.actor.process.parent_process.file.modifier.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.parent_process.file.modifier.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.modifier.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.parent_process.file.modifier.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.parent_process.file.modifier.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.parent_process.file.modifier.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.parent_process.file.modifier.email_addr	The image name. For example: elixir.	keyword
ocsf.actor.process.parent_process.file.modifier.full_name	The user's email address.	keyword
ocsf.actor.process.parent_process.file.modifier.groups.desc	The group description.	keyword
ocsf.actor.process.parent_process.file.modifier.groups.name	The group name.	keyword
ocsf.actor.process.parent_process.file.modifier.groups.privileges	The group privileges.	keyword
ocsf.actor.process.parent_process.file.modifier.groups.type	The type of the group or account.	keyword
ocsf.actor.process.parent_process.file.modifier.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.parent_process.file.modifier.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.parent_process.file.modifier.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.parent_process.file.modifier.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.parent_process.file.modifier.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.parent_process.file.modifier.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.parent_process.file.modifier.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.parent_process.file.modifier.type_id	The account type identifier.	keyword
ocsf.actor.process.parent_process.file.modifier.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.parent_process.file.modifier.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.parent_process.file.name	The name of the file. For example: svchost.exe.	keyword
ocsf.actor.process.parent_process.file.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.parent_process.file.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.parent_process.file.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.parent_process.file.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.parent_process.file.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.parent_process.file.owner.email_addr	The user's email address.	keyword
ocsf.actor.process.parent_process.file.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.parent_process.file.owner.groups.desc	The group description.	keyword
ocsf.actor.process.parent_process.file.owner.groups.name	The group name.	keyword
ocsf.actor.process.parent_process.file.owner.groups.privileges	The group privileges.	keyword
ocsf.actor.process.parent_process.file.owner.groups.type	The type of the group or account.	keyword
ocsf.actor.process.parent_process.file.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.parent_process.file.owner.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.parent_process.file.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.parent_process.file.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.parent_process.file.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.parent_process.file.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.parent_process.file.owner.type	The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.parent_process.file.owner.type_id	The account type identifier.	keyword
ocsf.actor.process.parent_process.file.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.parent_process.file.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.parent_process.file.parent_folder	The parent folder in which the file resides. For example: c:\windows\system32.	keyword
ocsf.actor.process.parent_process.file.path	The full path to the file. For example: c:\windows\system32\svchost.exe.	keyword
ocsf.actor.process.parent_process.file.product.feature.name	The name of the feature.	keyword
ocsf.actor.process.parent_process.file.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.actor.process.parent_process.file.product.feature.version	The version of the feature.	keyword
ocsf.actor.process.parent_process.file.product.lang	The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.actor.process.parent_process.file.product.name	The name of the feature.	keyword
ocsf.actor.process.parent_process.file.product.path	The installation path of the product.	keyword
ocsf.actor.process.parent_process.file.product.uid	The unique identifier of the feature.	keyword
ocsf.actor.process.parent_process.file.product.url_string	The URL pointing towards the product.	keyword
ocsf.actor.process.parent_process.file.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.actor.process.parent_process.file.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.actor.process.parent_process.file.security_descriptor	The object security descriptor.	keyword
ocsf.actor.process.parent_process.file.signature.algorithm	The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.signature.algorithm_id	The identifier of the normalized digital signature algorithm.	keyword
ocsf.actor.process.parent_process.file.signature.certificate.created_time	The time when the certificate was created.	date
ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.actor.process.parent_process.file.signature.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.actor.process.parent_process.file.signature.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.actor.process.parent_process.file.signature.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.actor.process.parent_process.file.signature.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.actor.process.parent_process.file.signature.certificate.version	The certificate version.	keyword
ocsf.actor.process.parent_process.file.signature.created_time	The time when the digital signature was created.	date
ocsf.actor.process.parent_process.file.signature.created_time_dt	The time when the digital signature was created.	date
ocsf.actor.process.parent_process.file.signature.developer_uid	The developer ID on the certificate that signed the file.	keyword
ocsf.actor.process.parent_process.file.signature.digest.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.file.signature.digest.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.actor.process.parent_process.file.signature.digest.value	The digital fingerprint value.	keyword
ocsf.actor.process.parent_process.file.size	The size of data, in bytes.	long
ocsf.actor.process.parent_process.file.type	The file type.	keyword
ocsf.actor.process.parent_process.file.type_id	The file type ID.	keyword
ocsf.actor.process.parent_process.file.uid	The unique identifier of the file as defined by the storage system, such the file system file ID.	keyword
ocsf.actor.process.parent_process.file.version	The file version. For example: 8.0.7601.17514.	keyword
ocsf.actor.process.parent_process.file.xattributes	An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.	flattened
ocsf.actor.process.parent_process.group.desc	The group description.	keyword
ocsf.actor.process.parent_process.group.name	The group name.	keyword
ocsf.actor.process.parent_process.group.privileges	The group privileges.	keyword
ocsf.actor.process.parent_process.group.type	The type of the group or account.	keyword
ocsf.actor.process.parent_process.group.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.parent_process.integrity	The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).	keyword
ocsf.actor.process.parent_process.integrity_id	The normalized identifier of the process integrity level (Windows only).	keyword
ocsf.actor.process.parent_process.lineage	The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].	keyword
ocsf.actor.process.parent_process.loaded_modules	The list of loaded module names.	keyword
ocsf.actor.process.parent_process.name	The friendly name of the process, for example: Notepad++.	keyword
ocsf.actor.process.parent_process.namespace_pid	If running under a process namespace (such as in a container), the process identifier within that process namespace.	long
ocsf.actor.process.parent_process.parent_process	The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.	flattened
ocsf.actor.process.parent_process.parent_process_keyword		keyword
ocsf.actor.process.parent_process.pid	The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.	long
ocsf.actor.process.parent_process.sandbox	The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.	keyword
ocsf.actor.process.parent_process.session.created_time	The time when the session was created.	date
ocsf.actor.process.parent_process.session.created_time_dt	The time when the session was created.	date
ocsf.actor.process.parent_process.session.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.parent_process.session.expiration_time	The session expiration time.	date
ocsf.actor.process.parent_process.session.expiration_time_dt	The session expiration time.	date
ocsf.actor.process.parent_process.session.is_remote	The indication of whether the session is remote.	boolean
ocsf.actor.process.parent_process.session.issuer	The identifier of the session issuer.	keyword
ocsf.actor.process.parent_process.session.mfa		boolean
ocsf.actor.process.parent_process.session.uid	The unique identifier of the session.	keyword
ocsf.actor.process.parent_process.session.uuid	The universally unique identifier of the session.	keyword
ocsf.actor.process.parent_process.terminated_time	The time when the process was terminated.	date
ocsf.actor.process.parent_process.terminated_time_dt	The time when the process was terminated.	date
ocsf.actor.process.parent_process.tid	The Identifier of the thread associated with the event, as returned by the operating system.	long
ocsf.actor.process.parent_process.uid	A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.	keyword
ocsf.actor.process.parent_process.user.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.parent_process.user.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.parent_process.user.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.parent_process.user.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.parent_process.user.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.parent_process.user.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.parent_process.user.email_addr	The user's email address.	keyword
ocsf.actor.process.parent_process.user.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.parent_process.user.groups.desc	The group description.	keyword
ocsf.actor.process.parent_process.user.groups.name	The group name.	keyword
ocsf.actor.process.parent_process.user.groups.privileges	The group privileges.	keyword
ocsf.actor.process.parent_process.user.groups.type	The type of the group or account.	keyword
ocsf.actor.process.parent_process.user.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.parent_process.user.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.parent_process.user.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.parent_process.user.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.parent_process.user.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.parent_process.user.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.parent_process.user.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.parent_process.user.type_id	The account type identifier.	keyword
ocsf.actor.process.parent_process.user.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.parent_process.user.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.parent_process.xattributes	An unordered collection of zero or more name/value pairs that represent a process extended attribute.	flattened
ocsf.actor.process.pid	The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.	long
ocsf.actor.process.sandbox	The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.	keyword
ocsf.actor.process.session.created_time	The time when the session was created.	date
ocsf.actor.process.session.created_time_dt	The time when the session was created.	date
ocsf.actor.process.session.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.session.expiration_time	The session expiration time.	date
ocsf.actor.process.session.expiration_time_dt	The session expiration time.	date
ocsf.actor.process.session.is_remote	The indication of whether the session is remote.	boolean
ocsf.actor.process.session.issuer	The identifier of the session issuer.	keyword
ocsf.actor.process.session.mfa		boolean
ocsf.actor.process.session.uid	The unique identifier of the session.	keyword
ocsf.actor.process.session.uuid	The universally unique identifier of the session.	keyword
ocsf.actor.process.terminated_time	The time when the process was terminated.	date
ocsf.actor.process.terminated_time_dt	The time when the process was terminated.	date
ocsf.actor.process.tid	The Identifier of the thread associated with the event, as returned by the operating system.	long
ocsf.actor.process.uid	A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.	keyword
ocsf.actor.process.user.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.process.user.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.process.user.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.process.user.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.process.user.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.process.user.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.process.user.email_addr	The user's email address.	keyword
ocsf.actor.process.user.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.process.user.groups.desc	The group description.	keyword
ocsf.actor.process.user.groups.name	The group name.	keyword
ocsf.actor.process.user.groups.privileges	The group privileges.	keyword
ocsf.actor.process.user.groups.type	The type of the group or account.	keyword
ocsf.actor.process.user.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.process.user.name	The username. For example, janedoe1.	keyword
ocsf.actor.process.user.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.process.user.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.process.user.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.process.user.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.process.user.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.process.user.type_id	The account type identifier.	keyword
ocsf.actor.process.user.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.process.user.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actor.process.xattributes	An unordered collection of zero or more name/value pairs that represent a process extended attribute.	flattened
ocsf.actor.session.created_time	The time when the session was created.	date
ocsf.actor.session.created_time_dt	The time when the session was created.	date
ocsf.actor.session.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.session.expiration_time	The session expiration time.	date
ocsf.actor.session.expiration_time_dt	The session expiration time.	date
ocsf.actor.session.is_remote	The indication of whether the session is remote.	boolean
ocsf.actor.session.issuer	The identifier of the session issuer.	keyword
ocsf.actor.session.mfa		boolean
ocsf.actor.session.uid	The unique identifier of the session.	keyword
ocsf.actor.session.uuid	The universally unique identifier of the session.	keyword
ocsf.actor.user.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.actor.user.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.actor.user.account.type_id	The normalized account type identifier.	keyword
ocsf.actor.user.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.actor.user.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.actor.user.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.actor.user.email_addr	The user's email address.	keyword
ocsf.actor.user.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.actor.user.groups.desc	The group description.	keyword
ocsf.actor.user.groups.name	The group name.	keyword
ocsf.actor.user.groups.privileges	The group privileges.	keyword
ocsf.actor.user.groups.type	The type of the group or account.	keyword
ocsf.actor.user.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.actor.user.name	The username. For example, janedoe1.	keyword
ocsf.actor.user.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.actor.user.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.actor.user.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.actor.user.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.actor.user.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.actor.user.type_id	The account type identifier.	keyword
ocsf.actor.user.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.actor.user.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.actual_permissions	The permissions that were granted to the in a platform-native format.	long
ocsf.analytic.category	The analytic category.	keyword
ocsf.analytic.desc	The description of the analytic that generated the finding.	keyword
ocsf.analytic.name	The name of the analytic that generated the finding.	keyword
ocsf.analytic.related_analytics.category	The analytic category.	keyword
ocsf.analytic.related_analytics.desc	The description of the analytic that generated the finding.	keyword
ocsf.analytic.related_analytics.name	The name of the analytic that generated the finding.	keyword
ocsf.analytic.related_analytics.related_analytics		flattened
ocsf.analytic.related_analytics.type	The analytic type.	keyword
ocsf.analytic.related_analytics.type_id	The analytic type ID.	keyword
ocsf.analytic.related_analytics.uid	The unique identifier of the analytic that generated the finding.	keyword
ocsf.analytic.related_analytics.version	The analytic version. For example: 1.1.	keyword
ocsf.analytic.type	The analytic type.	keyword
ocsf.analytic.type_id	The analytic type ID.	keyword
ocsf.analytic.uid	The unique identifier of the analytic that generated the finding.	keyword
ocsf.analytic.version	The analytic version. For example: 1.1.	keyword
ocsf.answers.class	The class of DNS data contained in this resource record. See RFC1035. For example: IN.	keyword
ocsf.answers.flag_ids	The list of DNS answer header flag IDs.	keyword
ocsf.answers.flags	The list of DNS answer header flags.	keyword
ocsf.answers.packet_uid	The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.	keyword
ocsf.answers.rdata	The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.	keyword
ocsf.answers.ttl	The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.	long
ocsf.answers.type	The type of data contained in this resource record. See RFC1035. For example: CNAME.	keyword
ocsf.api.operation	Verb/Operation associated with the request.	keyword
ocsf.api.request.flags	The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.	keyword
ocsf.api.request.uid	The unique request identifier.	keyword
ocsf.api.response.code	The numeric response sent to a request.	long
ocsf.api.response.error	Error Code.	keyword
ocsf.api.response.error_message	Error Message.	keyword
ocsf.api.response.flags	The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.	keyword
ocsf.api.response.message	The description of the event, as defined by the event source.	keyword
ocsf.api.service.labels	The list of labels associated with the service.	keyword
ocsf.api.service.name	The name of the service.	keyword
ocsf.api.service.uid	The unique identifier of the service.	keyword
ocsf.api.service.version	The version of the service.	keyword
ocsf.api.version	The version of the API service.	keyword
ocsf.app.feature.name	The name of the feature.	keyword
ocsf.app.feature.uid	The unique identifier of the feature.	keyword
ocsf.app.feature.version	The version of the feature.	keyword
ocsf.app.lang	The two letter lower case language codes, as defined by ISO 639-1.	keyword
ocsf.app.name	The CIS benchmark name.	keyword
ocsf.app.path	The installation path of the product.	keyword
ocsf.app.uid	The unique identifier of the product.	keyword
ocsf.app.url_string	The URL pointing towards the product.	keyword
ocsf.app.vendor_name	The name of the vendor of the product.	keyword
ocsf.app.version	The version of the product, as defined by the event source.	keyword
ocsf.app_name	The name of the application that is associated with the event or object.	keyword
ocsf.attacks.tactics.name	The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM.	keyword
ocsf.attacks.tactics.uid	The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM.	keyword
ocsf.attacks.technique.name	The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.	keyword
ocsf.attacks.technique.uid	The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.	keyword
ocsf.attacks.version	The ATT&CK Matrix version.	keyword
ocsf.attempt	The attempt number for attempting to deliver the email.	long
ocsf.auth_protocol	The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.auth_protocol_id	The normalized identifier of the authentication protocol used to create the user session.	keyword
ocsf.banner	The initial SMTP connection response that a messaging server receives after it connects to a email server.	keyword
ocsf.base_address	The memory address that was access or requested.	keyword
ocsf.capabilities	A list of RDP capabilities.	keyword
ocsf.category_name	The event category name, as defined by category_uid value: Identity & Access Management.	keyword
ocsf.category_uid	The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.	keyword
ocsf.certificate.created_time	The time when the certificate was created.	date
ocsf.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.certificate.version	The certificate version.	keyword
ocsf.certificate_chain	The list of observed certificates in an RDP TLS connection.	keyword
ocsf.cis_benchmark_result.desc	The CIS benchmark description.	keyword
ocsf.cis_benchmark_result.name	The CIS benchmark name.	keyword
ocsf.cis_benchmark_result.remediation.desc	The description of the remediation strategy.	keyword
ocsf.cis_benchmark_result.remediation.kb_articles	The KB article/s related to the entity.	keyword
ocsf.cis_benchmark_result.rule.category	The rule category.	keyword
ocsf.cis_benchmark_result.rule.desc	The description of the rule that generated the event.	keyword
ocsf.cis_benchmark_result.rule.name	The name of the rule that generated the event.	keyword
ocsf.cis_benchmark_result.rule.type	The rule type.	keyword
ocsf.cis_benchmark_result.rule.uid	The unique identifier of the rule that generated the event.	keyword
ocsf.cis_benchmark_result.rule.version	The rule version.	keyword
ocsf.cis_csc.control	The CIS critical security control.	keyword
ocsf.cis_csc.version	The CIS critical security control version.	keyword
ocsf.class_name	The event class name, as defined by class_uid value: Security Finding.	keyword
ocsf.class_uid	The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products.	keyword
ocsf.client_dialects	The list of SMB dialects that the client speaks.	keyword
ocsf.client_hassh.algorithm	The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation.	keyword
ocsf.client_hassh.fingerprint.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.client_hassh.fingerprint.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.client_hassh.fingerprint.value	The digital fingerprint value.	keyword
ocsf.cloud.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.cloud.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.cloud.account.type_id	The normalized account type identifier.	keyword
ocsf.cloud.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.cloud.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.cloud.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.cloud.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.cloud.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.cloud.project_uid	The unique identifier of a Cloud project.	keyword
ocsf.cloud.provider	The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc.	keyword
ocsf.cloud.region	The name of the cloud region, as defined by the cloud provider.	keyword
ocsf.cloud.zone	The availability zone in the cloud region, as defined by the cloud provider.	keyword
ocsf.codes	The list of return codes to the FTP command.	long
ocsf.command	The command name.	keyword
ocsf.command_responses	The list of responses to the FTP command.	keyword
ocsf.comment	The user provided comment about why the entity was changed.	keyword
ocsf.compliance.requirements	A list of applicable compliance requirements for which this finding is related to.	keyword
ocsf.compliance.status	The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.compliance.status_detail	The status details contains additional information about the event outcome.	keyword
ocsf.component	The name or relative pathname of a sub-component of the data object, if applicable.	keyword
ocsf.confidence	The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.confidence_id	The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.	keyword
ocsf.confidence_score	The confidence score as reported by the event source.	long
ocsf.connection_info.boundary	The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.	keyword
ocsf.connection_info.boundary_id	The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.	keyword
ocsf.connection_info.direction	The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.connection_info.direction_id	The normalized identifier of the direction of the initiated connection, traffic, or email.	keyword
ocsf.connection_info.protocol_name	The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.	keyword
ocsf.connection_info.protocol_num	The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.	keyword
ocsf.connection_info.protocol_ver	The Internet Protocol version.	keyword
ocsf.connection_info.protocol_ver_id	The Internet Protocol version identifier.	keyword
ocsf.connection_info.tcp_flags	The network connection TCP header flags (i.e., control bits).	long
ocsf.connection_info.uid	The unique identifier of the connection.	keyword
ocsf.connection_uid	The network connection identifier.	keyword
ocsf.count	The number of times that events in the same logical group occurred during the event Start Time to End Time period.	long
ocsf.create_mask	The original Windows mask that is required to create the object.	keyword
ocsf.data_sources	The data sources for the finding.	keyword
ocsf.dce_rpc.command	The request command (e.g. REQUEST, BIND).	keyword
ocsf.dce_rpc.command_response	The reply to the request command (e.g. RESPONSE, BINDACK or FAULT).	keyword
ocsf.dce_rpc.flags	The list of interface flags.	keyword
ocsf.dce_rpc.opnum	An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.	long
ocsf.dce_rpc.rpc_interface.ack_reason	An integer that provides a reason code or additional information about the acknowledgment result.	long
ocsf.dce_rpc.rpc_interface.ack_result	An integer that denotes the acknowledgment result of the DCE/RPC call.	long
ocsf.dce_rpc.rpc_interface.uuid	The unique identifier of the particular remote procedure or service.	keyword
ocsf.dce_rpc.rpc_interface.version	The version of the DCE/RPC protocol being used in the session.	keyword
ocsf.device.autoscale_uid	The unique identifier of the cloud autoscale configuration.	keyword
ocsf.device.created_time	The time when the device was known to have been created.	date
ocsf.device.created_time_dt	TThe time when the device was known to have been created.	date
ocsf.device.desc	The description of the device, ordinarily as reported by the operating system.	keyword
ocsf.device.domain	The network domain where the device resides. For example: work.example.com.	keyword
ocsf.device.first_seen_time	The initial discovery time of the device.	date
ocsf.device.first_seen_time_dt	The initial discovery time of the device.	date
ocsf.device.groups.desc	The group description.	keyword
ocsf.device.groups.name	The group name.	keyword
ocsf.device.groups.privileges	The group privileges.	keyword
ocsf.device.groups.type	The type of the group or account.	keyword
ocsf.device.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.device.hostname	The devicename.	keyword
ocsf.device.hw_info.bios_date	The BIOS date. For example: 03/31/16.	keyword
ocsf.device.hw_info.bios_manufacturer	The BIOS manufacturer. For example: LENOVO.	keyword
ocsf.device.hw_info.bios_ver	The BIOS version. For example: LENOVO G5ETA2WW (2.62).	keyword
ocsf.device.hw_info.chassis	The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types.	keyword
ocsf.device.hw_info.cpu_bits	The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.	long
ocsf.device.hw_info.cpu_cores	The number of processor cores in all installed processors. For Example: 42.	long
ocsf.device.hw_info.cpu_count	The number of physical processors on a system. For example: 1.	long
ocsf.device.hw_info.cpu_speed	The speed of the processor in Mhz. For Example: 4200.	long
ocsf.device.hw_info.cpu_type	The processor type. For example: x86 Family 6 Model 37 Stepping 5.	keyword
ocsf.device.hw_info.desktop_display.color_depth	The numeric color depth.	long
ocsf.device.hw_info.desktop_display.physical_height	The numeric physical height of display.	long
ocsf.device.hw_info.desktop_display.physical_orientation	The numeric physical orientation of display.	long
ocsf.device.hw_info.desktop_display.physical_width	The numeric physical width of display.	long
ocsf.device.hw_info.desktop_display.scale_factor	The numeric scale factor of display.	long
ocsf.device.hw_info.keyboard_info.function_keys	The number of function keys on client keyboard.	long
ocsf.device.hw_info.keyboard_info.ime	The Input Method Editor (IME) file name.	keyword
ocsf.device.hw_info.keyboard_info.keyboard_layout	The keyboard locale identifier name (e.g., en-US).	keyword
ocsf.device.hw_info.keyboard_info.keyboard_subtype	The keyboard numeric code.	long
ocsf.device.hw_info.keyboard_info.keyboard_type	The keyboard type (e.g., xt, ico).	keyword
ocsf.device.hw_info.ram_size	The total amount of installed RAM, in Megabytes. For example: 2048.	long
ocsf.device.hw_info.serial_number	The device manufacturer serial number.	keyword
ocsf.device.hypervisor	The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.	keyword
ocsf.device.image.labels	The image labels.	keyword
ocsf.device.image.name	The image name. For example: elixir.	keyword
ocsf.device.image.path	The full path to the image file.	keyword
ocsf.device.image.tag	The image tag. For example: 1.11-alpine.	keyword
ocsf.device.image.uid	The unique image ID. For example: 77af4d6b9913.	keyword
ocsf.device.imei	The International Mobile Station Equipment Identifier that is associated with the device.	keyword
ocsf.device.instance_uid	The unique identifier of a VM instance.	keyword
ocsf.device.interface_name	The name of the network interface (e.g. eth2).	keyword
ocsf.device.interface_uid	The unique identifier of the network interface.	keyword
ocsf.device.ip	The device IP address, in either IPv4 or IPv6 format.	ip
ocsf.device.is_compliant	The event occurred on a compliant device.	boolean
ocsf.device.is_managed	The event occurred on a managed device.	boolean
ocsf.device.is_personal	The event occurred on a personal device.	boolean
ocsf.device.is_trusted	The event occurred on a trusted device.	boolean
ocsf.device.last_seen_time	The most recent discovery time of the device.	date
ocsf.device.last_seen_time_dt	The most recent discovery time of the device.	date
ocsf.device.location.city	The name of the city.	keyword
ocsf.device.location.continent	The name of the continent.	keyword
ocsf.device.location.coordinates	A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.	geo_point
ocsf.device.location.country	The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.	keyword
ocsf.device.location.desc	The description of the geographical location.	keyword
ocsf.device.location.is_on_premises	The indication of whether the location is on premises.	boolean
ocsf.device.location.isp	The name of the Internet Service Provider (ISP).	keyword
ocsf.device.location.postal_code	The postal code of the location.	keyword
ocsf.device.location.provider	The provider of the geographical location data.	keyword
ocsf.device.location.region	The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.	keyword
ocsf.device.mac	The device Media Access Control (MAC) address.	keyword
ocsf.device.modified_time	The time when the device was last known to have been modified.	date
ocsf.device.modified_time_dt	The time when the device was last known to have been modified.	date
ocsf.device.name	The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.	keyword
ocsf.device.network_interfaces.hostname	The hostname associated with the network interface.	keyword
ocsf.device.network_interfaces.ip	The IP address associated with the network interface.	ip
ocsf.device.network_interfaces.mac	The MAC address of the network interface.	keyword
ocsf.device.network_interfaces.name	The name of the network interface.	keyword
ocsf.device.network_interfaces.namespace	The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate.	keyword
ocsf.device.network_interfaces.subnet_prefix	The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.	long
ocsf.device.network_interfaces.type	The type of network interface.	keyword
ocsf.device.network_interfaces.type_id	The network interface type identifier.	keyword
ocsf.device.network_interfaces.uid	The unique identifier for the network interface.	keyword
ocsf.device.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.device.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.device.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.device.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.device.os.build	The operating system build number.	keyword
ocsf.device.os.country	The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.	keyword
ocsf.device.os.cpu_bits	The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64.	long
ocsf.device.os.edition	The operating system edition. For example, Professional.	keyword
ocsf.device.os.lang	The two letter lower case language codes, as defined by ISO 639-1.	keyword
ocsf.device.os.name	The operating system name.	keyword
ocsf.device.os.sp_name	The name of the latest Service Pack.	keyword
ocsf.device.os.sp_ver	The version number of the latest Service Pack.	keyword
ocsf.device.os.type	The type of the operating system.	keyword
ocsf.device.os.type_id	The type identifier of the operating system.	keyword
ocsf.device.os.version	The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9".	keyword
ocsf.device.region	The region where the virtual machine is located. For example, an AWS Region.	keyword
ocsf.device.risk_level	The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.device.risk_level_id	The normalized risk level id.	keyword
ocsf.device.risk_score	The risk score as reported by the event source.	long
ocsf.device.subnet	The subnet mask.	ip_range
ocsf.device.subnet_uid	The unique identifier of a virtual subnet.	keyword
ocsf.device.type	The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.	keyword
ocsf.device.type_id	The device type ID.	keyword
ocsf.device.uid	The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.	keyword
ocsf.device.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.device.vlan_uid	The Virtual LAN identifier.	keyword
ocsf.device.vpc_uid	The unique identifier of the Virtual Private Cloud (VPC).	keyword
ocsf.dialect	The negotiated protocol dialect.	keyword
ocsf.direction	The direction of the email, as defined by the direction_id value.	keyword
ocsf.direction_id	The direction of the email relative to the scanning host or organization.	keyword
ocsf.disposition	The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.disposition_id	When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.	keyword
ocsf.driver.file.accessed_time	The time when the file was last accessed.	date
ocsf.driver.file.accessed_time_dt	The time when the file was last accessed.	date
ocsf.driver.file.accessor.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.driver.file.accessor.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.accessor.account.type_id	The normalized account type identifier.	keyword
ocsf.driver.file.accessor.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.driver.file.accessor.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.driver.file.accessor.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.driver.file.accessor.email_addr	The user's email address.	keyword
ocsf.driver.file.accessor.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.driver.file.accessor.groups.desc	The group description.	keyword
ocsf.driver.file.accessor.groups.name	The group name.	keyword
ocsf.driver.file.accessor.groups.privileges	The group privileges.	keyword
ocsf.driver.file.accessor.groups.type	The type of the group or account.	keyword
ocsf.driver.file.accessor.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.driver.file.accessor.name	The username. For example, janedoe1.	keyword
ocsf.driver.file.accessor.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.driver.file.accessor.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.driver.file.accessor.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.driver.file.accessor.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.driver.file.accessor.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.driver.file.accessor.type_id	The account type identifier.	keyword
ocsf.driver.file.accessor.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.driver.file.accessor.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.driver.file.attributes	The Bitmask value that represents the file attributes.	long
ocsf.driver.file.company_name	The name of the company that published the file. For example: Microsoft Corporation.	keyword
ocsf.driver.file.confidentiality	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.confidentiality_id	The normalized identifier of the file content confidentiality indicator.	keyword
ocsf.driver.file.created_time	The time when the file was created.	date
ocsf.driver.file.created_time_dt	The time when the file was created.	date
ocsf.driver.file.creator.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.driver.file.creator.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.creator.account.type_id	The normalized account type identifier.	keyword
ocsf.driver.file.creator.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.driver.file.creator.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.driver.file.creator.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.driver.file.creator.email_addr	The user's email address.	keyword
ocsf.driver.file.creator.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.driver.file.creator.groups.desc	The group description.	keyword
ocsf.driver.file.creator.groups.name	The group name.	keyword
ocsf.driver.file.creator.groups.privileges	The group privileges.	keyword
ocsf.driver.file.creator.groups.type	The type of the group or account.	keyword
ocsf.driver.file.creator.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.driver.file.creator.name	The username. For example, janedoe1.	keyword
ocsf.driver.file.creator.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.driver.file.creator.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.driver.file.creator.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.driver.file.creator.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.driver.file.creator.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.driver.file.creator.type_id	The account type identifier.	keyword
ocsf.driver.file.creator.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.driver.file.creator.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.driver.file.desc	The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.	keyword
ocsf.driver.file.hashes.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.hashes.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.driver.file.hashes.value	The digital fingerprint value.	keyword
ocsf.driver.file.is_system	The indication of whether the object is part of the operating system.	boolean
ocsf.driver.file.mime_type	The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.	keyword
ocsf.driver.file.modified_time	The time when the file was last modified.	date
ocsf.driver.file.modified_time_dt	The time when the file was last modified.	date
ocsf.driver.file.modifier.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.driver.file.modifier.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.modifier.account.type_id	The normalized account type identifier.	keyword
ocsf.driver.file.modifier.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.driver.file.modifier.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.driver.file.modifier.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.driver.file.modifier.email_addr	The user's email address.	keyword
ocsf.driver.file.modifier.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.driver.file.modifier.groups.desc	The group description.	keyword
ocsf.driver.file.modifier.groups.name	The group name.	keyword
ocsf.driver.file.modifier.groups.privileges	The group privileges.	keyword
ocsf.driver.file.modifier.groups.type	The type of the group or account.	keyword
ocsf.driver.file.modifier.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.driver.file.modifier.name	The username. For example, janedoe1.	keyword
ocsf.driver.file.modifier.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.driver.file.modifier.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.driver.file.modifier.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.driver.file.modifier.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.driver.file.modifier.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.driver.file.modifier.type_id	The account type identifier.	keyword
ocsf.driver.file.modifier.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.driver.file.modifier.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.driver.file.name	The name of the file. For example: svchost.exe.	keyword
ocsf.driver.file.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.driver.file.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.driver.file.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.driver.file.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.driver.file.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.driver.file.owner.email_addr	The user's email address.	keyword
ocsf.driver.file.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.driver.file.owner.groups.desc	The group description.	keyword
ocsf.driver.file.owner.groups.name	The group name.	keyword
ocsf.driver.file.owner.groups.privileges	The group privileges.	keyword
ocsf.driver.file.owner.groups.type	The type of the group or account.	keyword
ocsf.driver.file.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.driver.file.owner.name	The username. For example, janedoe1.	keyword
ocsf.driver.file.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.driver.file.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.driver.file.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.driver.file.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.driver.file.owner.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.driver.file.owner.type_id	The account type identifier.	keyword
ocsf.driver.file.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.driver.file.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.driver.file.parent_folder	The parent folder in which the file resides. For example: c:\windows\system32.	keyword
ocsf.driver.file.path	The full path to the file. For example: c:\windows\system32\svchost.exe.	keyword
ocsf.driver.file.product.feature.name	The name of the feature.	keyword
ocsf.driver.file.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.driver.file.product.feature.version	The version of the feature.	keyword
ocsf.driver.file.product.lang	The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.driver.file.product.name	The name of the product.	keyword
ocsf.driver.file.product.path	The installation path of the product.	keyword
ocsf.driver.file.product.uid	The unique identifier of the product.	keyword
ocsf.driver.file.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.driver.file.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.driver.file.security_descriptor	The object security descriptor.	keyword
ocsf.driver.file.signature.algorithm	The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.signature.algorithm_id	The identifier of the normalized digital signature algorithm.	keyword
ocsf.driver.file.signature.certificate.created_time	The time when the certificate was created.	date
ocsf.driver.file.signature.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.driver.file.signature.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.driver.file.signature.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.driver.file.signature.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.signature.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.driver.file.signature.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.driver.file.signature.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.driver.file.signature.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.driver.file.signature.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.driver.file.signature.certificate.version	The certificate version.	keyword
ocsf.driver.file.signature.created_time	The time when the digital signature was created.	date
ocsf.driver.file.signature.created_time_dt	The time when the digital signature was created.	date
ocsf.driver.file.signature.developer_uid	The developer ID on the certificate that signed the file.	keyword
ocsf.driver.file.signature.digest.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.driver.file.signature.digest.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.driver.file.signature.digest.value	The digital fingerprint value.	keyword
ocsf.driver.file.size	The size of data, in bytes.	long
ocsf.driver.file.type	The file type.	keyword
ocsf.driver.file.type_id	The file type ID.	keyword
ocsf.driver.file.uid	The unique identifier of the file as defined by the storage system, such the file system file ID.	keyword
ocsf.driver.file.version	The file version. For example: 8.0.7601.17514.	keyword
ocsf.driver.file.xattributes	An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.	flattened
ocsf.dst_endpoint.domain	The name of the domain.	keyword
ocsf.dst_endpoint.hostname	The fully qualified name of the endpoint.	keyword
ocsf.dst_endpoint.instance_uid	The unique identifier of a VM instance.	keyword
ocsf.dst_endpoint.interface_name	The name of the network interface (e.g. eth2).	keyword
ocsf.dst_endpoint.interface_uid	The unique identifier of the network interface.	keyword
ocsf.dst_endpoint.intermediate_ips	The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.	ip
ocsf.dst_endpoint.ip	The IP address of the endpoint, in either IPv4 or IPv6 format.	ip
ocsf.dst_endpoint.location.city	The name of the city.	keyword
ocsf.dst_endpoint.location.continent	The name of the continent.	keyword
ocsf.dst_endpoint.location.coordinates	A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.	geo_point
ocsf.dst_endpoint.location.country	The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.	keyword
ocsf.dst_endpoint.location.desc	The description of the geographical location.	keyword
ocsf.dst_endpoint.location.is_on_premises	The indication of whether the location is on premises.	boolean
ocsf.dst_endpoint.location.isp	The name of the Internet Service Provider (ISP).	keyword
ocsf.dst_endpoint.location.postal_code	The postal code of the location.	keyword
ocsf.dst_endpoint.location.provider	The provider of the geographical location data.	keyword
ocsf.dst_endpoint.location.region	The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.	keyword
ocsf.dst_endpoint.mac	The Media Access Control (MAC) address of the endpoint.	keyword
ocsf.dst_endpoint.name	The short name of the endpoint.	keyword
ocsf.dst_endpoint.port	The port used for communication within the network connection.	long
ocsf.dst_endpoint.subnet_uid	The unique identifier of a virtual subnet.	keyword
ocsf.dst_endpoint.svc_name	The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.	keyword
ocsf.dst_endpoint.uid	The unique identifier of the endpoint.	keyword
ocsf.dst_endpoint.vlan_uid	The Virtual LAN identifier.	keyword
ocsf.dst_endpoint.vpc_uid	The unique identifier of the Virtual Private Cloud (VPC).	keyword
ocsf.duration	The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.	long
ocsf.email.cc	The email header Cc values, as defined by RFC 5322.	keyword
ocsf.email.delivered_to	The Delivered-To email header field.	keyword
ocsf.email.from	The email header From values, as defined by RFC 5322.	keyword
ocsf.email.message_uid	The email header Message-Id value, as defined by RFC 5322.	keyword
ocsf.email.raw_header	The email authentication header.	keyword
ocsf.email.reply_to	The email header Reply-To values, as defined by RFC 5322.	keyword
ocsf.email.size	The size in bytes of the email, including attachments.	long
ocsf.email.smtp_from	The value of the SMTP MAIL FROM command.	keyword
ocsf.email.smtp_to	The value of the SMTP envelope RCPT TO command.	keyword
ocsf.email.subject	The email header Subject value, as defined by RFC 5322.	keyword
ocsf.email.to	The email header To values, as defined by RFC 5322.	keyword
ocsf.email.uid	The email unique identifier.	keyword
ocsf.email.x_originating_ip	The X-Originating-IP header identifying the emails originating IP address(es).	ip
ocsf.email_auth.dkim	The DomainKeys Identified Mail (DKIM) status of the email.	keyword
ocsf.email_auth.dkim_domain	The DomainKeys Identified Mail (DKIM) signing domain of the email.	keyword
ocsf.email_auth.dkim_signature	The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.	keyword
ocsf.email_auth.dmarc	The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.	keyword
ocsf.email_auth.dmarc_override	The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.	keyword
ocsf.email_auth.dmarc_policy	The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.	keyword
ocsf.email_auth.spf	The Sender Policy Framework (SPF) status of the email.	keyword
ocsf.email_uid	The unique identifier of the email, used to correlate related email alert and activity events.	keyword
ocsf.end_time	The end time of a time period, or the time of the most recent event included in the aggregate event.	date
ocsf.end_time_dt	The end time of a time period, or the time of the most recent event included in the aggregate event.	date
ocsf.enrichments.data	The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.	flattened
ocsf.enrichments.name	The name of the attribute to which the enriched data pertains.	keyword
ocsf.enrichments.provider	The enrichment data provider name.	keyword
ocsf.enrichments.type	The enrichment type. For example, location.	keyword
ocsf.enrichments.value	The value of the attribute to which the enriched data pertains.	keyword
ocsf.entity.data	The managed entity content as a JSON object.	flattened
ocsf.entity.name	The name of the managed entity.	keyword
ocsf.entity.type	The managed entity type.	keyword
ocsf.entity.uid	The identifier of the managed entity.	keyword
ocsf.entity.version	The version of the managed entity.	keyword
ocsf.entity_result.data	The managed entity content as a JSON object.	flattened
ocsf.entity_result.name	The name of the managed entity.	keyword
ocsf.entity_result.type	The managed entity type.	keyword
ocsf.entity_result.uid	The identifier of the managed entity.	keyword
ocsf.entity_result.version	The version of the managed entity.	keyword
ocsf.evidence	The data the finding exposes to the analyst.	flattened
ocsf.exit_code	The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred.	keyword
ocsf.expiration_time	The share expiration time.	date
ocsf.expiration_time_dt	The share expiration time.	date
ocsf.file.accessed_time	The time when the file was last accessed.	date
ocsf.file.accessed_time_dt	The time when the file was last accessed.	date
ocsf.file.accessor.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file.accessor.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.accessor.account.type_id	The normalized account type identifier.	keyword
ocsf.file.accessor.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file.accessor.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file.accessor.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file.accessor.email_addr	The user's email address.	keyword
ocsf.file.accessor.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file.accessor.groups.desc	The group description.	keyword
ocsf.file.accessor.groups.name	The group name.	keyword
ocsf.file.accessor.groups.privileges	The group privileges.	keyword
ocsf.file.accessor.groups.type	The type of the group or account.	keyword
ocsf.file.accessor.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file.accessor.name	The username. For example, janedoe1.	keyword
ocsf.file.accessor.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file.accessor.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file.accessor.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file.accessor.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file.accessor.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file.accessor.type_id	The account type identifier.	keyword
ocsf.file.accessor.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file.accessor.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file.attributes	The Bitmask value that represents the file attributes.	long
ocsf.file.company_name	The name of the company that published the file. For example: Microsoft Corporation.	keyword
ocsf.file.confidentiality	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.confidentiality_id	The normalized identifier of the file content confidentiality indicator.	keyword
ocsf.file.created_time	The time when the file was created.	date
ocsf.file.created_time_dt	The time when the file was created.	date
ocsf.file.creator.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file.creator.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.creator.account.type_id	The normalized account type identifier.	keyword
ocsf.file.creator.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file.creator.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file.creator.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file.creator.email_addr	The user's email address.	keyword
ocsf.file.creator.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file.creator.groups.desc	The group description.	keyword
ocsf.file.creator.groups.name	The group name.	keyword
ocsf.file.creator.groups.privileges	The group privileges.	keyword
ocsf.file.creator.groups.type	The type of the group or account.	keyword
ocsf.file.creator.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file.creator.name	The username. For example, janedoe1.	keyword
ocsf.file.creator.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file.creator.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file.creator.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file.creator.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file.creator.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file.creator.type_id	The account type identifier.	keyword
ocsf.file.creator.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file.creator.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file.desc	The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.	keyword
ocsf.file.hashes.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.hashes.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.file.hashes.value	The digital fingerprint value.	keyword
ocsf.file.is_system	The indication of whether the object is part of the operating system.	boolean
ocsf.file.mime_type	The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.	keyword
ocsf.file.modified_time	The time when the file was last modified.	date
ocsf.file.modified_time_dt	The time when the file was last modified.	date
ocsf.file.modifier.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file.modifier.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.modifier.account.type_id	The normalized account type identifier.	keyword
ocsf.file.modifier.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file.modifier.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file.modifier.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file.modifier.email_addr	The user's email address.	keyword
ocsf.file.modifier.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file.modifier.groups.desc	The group description.	keyword
ocsf.file.modifier.groups.name	The group name.	keyword
ocsf.file.modifier.groups.privileges	The group privileges.	keyword
ocsf.file.modifier.groups.type	The type of the group or account.	keyword
ocsf.file.modifier.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file.modifier.name	The username. For example, janedoe1.	keyword
ocsf.file.modifier.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file.modifier.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file.modifier.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file.modifier.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file.modifier.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file.modifier.type_id	The account type identifier.	keyword
ocsf.file.modifier.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file.modifier.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file.name	The name of the file. For example: svchost.exe.	keyword
ocsf.file.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.file.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file.owner.email_addr	The user's email address.	keyword
ocsf.file.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file.owner.groups.desc	The group description.	keyword
ocsf.file.owner.groups.name	The group name.	keyword
ocsf.file.owner.groups.privileges	The group privileges.	keyword
ocsf.file.owner.groups.type	The type of the group or account.	keyword
ocsf.file.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file.owner.name	The username. For example, janedoe1.	keyword
ocsf.file.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file.owner.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file.owner.type_id	The account type identifier.	keyword
ocsf.file.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file.parent_folder	The parent folder in which the file resides. For example: c:\windows\system32.	keyword
ocsf.file.path	The full path to the file. For example: c:\windows\system32\svchost.exe.	keyword
ocsf.file.product.feature.name	The name of the feature.	keyword
ocsf.file.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.file.product.feature.version	The version of the feature.	keyword
ocsf.file.product.lang	The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.file.product.name	The name of the product.	keyword
ocsf.file.product.path	The installation path of the product.	keyword
ocsf.file.product.uid	The unique identifier of the product.	keyword
ocsf.file.product.url_string	The URL pointing towards the product.	keyword
ocsf.file.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.file.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.file.security_descriptor	The object security descriptor.	keyword
ocsf.file.signature.algorithm	The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.signature.algorithm_id	The identifier of the normalized digital signature algorithm.	keyword
ocsf.file.signature.certificate.created_time	The time when the certificate was created.	date
ocsf.file.signature.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.file.signature.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.file.signature.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.file.signature.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.signature.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.file.signature.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.file.signature.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.file.signature.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.file.signature.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.file.signature.certificate.version	The certificate version.	keyword
ocsf.file.signature.created_time	The time when the digital signature was created.	date
ocsf.file.signature.created_time_dt	The time when the digital signature was created.	date
ocsf.file.signature.developer_uid	The developer ID on the certificate that signed the file.	keyword
ocsf.file.signature.digest.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file.signature.digest.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.file.signature.digest.value	The digital fingerprint value.	keyword
ocsf.file.size	The size of data, in bytes.	long
ocsf.file.type	The file type.	keyword
ocsf.file.type_id	The file type ID.	keyword
ocsf.file.uid	The unique identifier of the file as defined by the storage system, such the file system file ID.	keyword
ocsf.file.version	The file version. For example: 8.0.7601.17514.	keyword
ocsf.file.xattributes	An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.	flattened
ocsf.file_diff	File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.	keyword
ocsf.file_result.accessed_time	The time when the file was last accessed.	date
ocsf.file_result.accessed_time_dt	The time when the file was last accessed.	date
ocsf.file_result.accessor.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file_result.accessor.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.accessor.account.type_id	The normalized account type identifier.	keyword
ocsf.file_result.accessor.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file_result.accessor.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file_result.accessor.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file_result.accessor.email_addr	The user's email address.	keyword
ocsf.file_result.accessor.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file_result.accessor.groups.desc	The group description.	keyword
ocsf.file_result.accessor.groups.name	The group name.	keyword
ocsf.file_result.accessor.groups.privileges	The group privileges.	keyword
ocsf.file_result.accessor.groups.type	The type of the group or account.	keyword
ocsf.file_result.accessor.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file_result.accessor.name	The username. For example, janedoe1.	keyword
ocsf.file_result.accessor.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file_result.accessor.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file_result.accessor.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file_result.accessor.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file_result.accessor.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file_result.accessor.type_id	The account type identifier.	keyword
ocsf.file_result.accessor.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file_result.accessor.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file_result.attributes	The Bitmask value that represents the file attributes.	long
ocsf.file_result.company_name	The name of the company that published the file. For example: Microsoft Corporation.	keyword
ocsf.file_result.confidentiality	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.confidentiality_id	The normalized identifier of the file content confidentiality indicator.	keyword
ocsf.file_result.created_time	The time when the file was created.	date
ocsf.file_result.created_time_dt	The time when the file was created.	date
ocsf.file_result.creator.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file_result.creator.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.creator.account.type_id	The normalized account type identifier.	keyword
ocsf.file_result.creator.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file_result.creator.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file_result.creator.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file_result.creator.email_addr	The user's email address.	keyword
ocsf.file_result.creator.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file_result.creator.groups.desc	The group description.	keyword
ocsf.file_result.creator.groups.name	The group name.	keyword
ocsf.file_result.creator.groups.privileges	The group privileges.	keyword
ocsf.file_result.creator.groups.type	The type of the group or account.	keyword
ocsf.file_result.creator.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file_result.creator.name	The username. For example, janedoe1.	keyword
ocsf.file_result.creator.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file_result.creator.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file_result.creator.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file_result.creator.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file_result.creator.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file_result.creator.type_id	The account type identifier.	keyword
ocsf.file_result.creator.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file_result.creator.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file_result.desc	The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.	keyword
ocsf.file_result.hashes.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.hashes.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.file_result.hashes.value	The digital fingerprint value.	keyword
ocsf.file_result.is_system	The indication of whether the object is part of the operating system.	boolean
ocsf.file_result.mime_type	The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.	keyword
ocsf.file_result.modified_time	The time when the file was last modified.	date
ocsf.file_result.modified_time_dt	The time when the file was last modified.	date
ocsf.file_result.modifier.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file_result.modifier.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.modifier.account.type_id	The normalized account type identifier.	keyword
ocsf.file_result.modifier.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file_result.modifier.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file_result.modifier.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file_result.modifier.email_addr	The user's email address.	keyword
ocsf.file_result.modifier.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file_result.modifier.groups.desc	The group description.	keyword
ocsf.file_result.modifier.groups.name	The group name.	keyword
ocsf.file_result.modifier.groups.privileges	The group privileges.	keyword
ocsf.file_result.modifier.groups.type	The type of the group or account.	keyword
ocsf.file_result.modifier.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file_result.modifier.name	The username. For example, janedoe1.	keyword
ocsf.file_result.modifier.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file_result.modifier.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file_result.modifier.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file_result.modifier.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file_result.modifier.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file_result.modifier.type_id	The account type identifier.	keyword
ocsf.file_result.modifier.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file_result.modifier.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file_result.name	The name of the file. For example: svchost.exe.	keyword
ocsf.file_result.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.file_result.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.file_result.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.file_result.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.file_result.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.file_result.owner.email_addr	The user's email address.	keyword
ocsf.file_result.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.file_result.owner.groups.desc	The group description.	keyword
ocsf.file_result.owner.groups.name	The group name.	keyword
ocsf.file_result.owner.groups.privileges	The group privileges.	keyword
ocsf.file_result.owner.groups.type	The type of the group or account.	keyword
ocsf.file_result.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.file_result.owner.name	The username. For example, janedoe1.	keyword
ocsf.file_result.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.file_result.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.file_result.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.file_result.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.file_result.owner.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.file_result.owner.type_id	The account type identifier.	keyword
ocsf.file_result.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.file_result.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.file_result.parent_folder	The parent folder in which the file resides. For example: c:\windows\system32.	keyword
ocsf.file_result.path	The full path to the file. For example: c:\windows\system32\svchost.exe.	keyword
ocsf.file_result.product.feature.name	The name of the feature.	keyword
ocsf.file_result.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.file_result.product.feature.version	The version of the feature.	keyword
ocsf.file_result.product.lang	The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.file_result.product.name	The name of the product.	keyword
ocsf.file_result.product.path	The installation path of the product.	keyword
ocsf.file_result.product.uid	The unique identifier of the product.	keyword
ocsf.file_result.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.file_result.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.file_result.security_descriptor	The object security descriptor.	keyword
ocsf.file_result.signature.algorithm	The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.signature.algorithm_id	The identifier of the normalized digital signature algorithm.	keyword
ocsf.file_result.signature.certificate.created_time	The time when the certificate was created.	date
ocsf.file_result.signature.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.file_result.signature.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.file_result.signature.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.file_result.signature.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.signature.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.file_result.signature.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.file_result.signature.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.file_result.signature.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.file_result.signature.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.file_result.signature.certificate.version	The certificate version.	keyword
ocsf.file_result.signature.created_time	The time when the digital signature was created.	date
ocsf.file_result.signature.created_time_dt	The time when the digital signature was created.	date
ocsf.file_result.signature.developer_uid	The developer ID on the certificate that signed the file.	keyword
ocsf.file_result.signature.digest.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.file_result.signature.digest.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.file_result.signature.digest.value	The digital fingerprint value.	keyword
ocsf.file_result.size	The size of data, in bytes.	long
ocsf.file_result.type	The file type.	keyword
ocsf.file_result.type_id	The file type ID.	keyword
ocsf.file_result.uid	The unique identifier of the file as defined by the storage system, such the file system file ID.	keyword
ocsf.file_result.version	The file version. For example: 8.0.7601.17514.	keyword
ocsf.file_result.xattributes	An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.	flattened
ocsf.finding.created_time	The time when the finding was created.	date
ocsf.finding.created_time_dt	The time when the finding was created.	date
ocsf.finding.desc	The description of the reported finding.	keyword
ocsf.finding.first_seen_time	The time when the finding was first observed.	date
ocsf.finding.first_seen_time_dt	The time when the finding was first observed.	date
ocsf.finding.last_seen_time	The time when the finding was most recently observed.	date
ocsf.finding.last_seen_time_dt	The time when the finding was most recently observed.	date
ocsf.finding.modified_time	The time when the finding was last modified.	date
ocsf.finding.modified_time_dt	The time when the finding was last modified.	date
ocsf.finding.product_uid	The unique identifier of the product that reported the finding.	keyword
ocsf.finding.related_events.product_uid	The unique identifier of the product that reported the related event.	keyword
ocsf.finding.related_events.type	The type of the related event. For example: Process Activity: Launch.	keyword
ocsf.finding.related_events.type_uid	The unique identifier of the related event type. For example: 100701.	keyword
ocsf.finding.related_events.uid	The unique identifier of the related event.	keyword
ocsf.finding.remediation.desc	The description of the remediation strategy.	keyword
ocsf.finding.remediation.kb_articles	The KB article/s related to the entity.	keyword
ocsf.finding.src_url	The URL pointing to the source of the finding.	keyword
ocsf.finding.supporting_data	Additional data supporting a finding as provided by security tool.	flattened
ocsf.finding.title	The title of the reported finding.	keyword
ocsf.finding.types	One or more types of the reported finding.	keyword
ocsf.finding.uid	The unique identifier of the reported finding.	keyword
ocsf.group.desc	The group description.	keyword
ocsf.group.name	The group name.	keyword
ocsf.group.privileges	The group privileges.	keyword
ocsf.group.type	The type of the group or account.	keyword
ocsf.group.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.http_request.args	The arguments sent along with the HTTP request.	keyword
ocsf.http_request.http_headers.name	The name of the header.	keyword
ocsf.http_request.http_headers.value	The value of the header.	keyword
ocsf.http_request.http_method	The HTTP request method indicates the desired action to be performed for a given resource.	keyword
ocsf.http_request.referrer	The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.	keyword
ocsf.http_request.uid	The unique identifier of the http request.	keyword
ocsf.http_request.url.categories	The Website categorization names, as defined by category_ids enum values.	keyword
ocsf.http_request.url.category_ids	The Website categorization identifies.	keyword
ocsf.http_request.url.hostname	The URL host as extracted from the URL. For example, www.example.com from www.example.com/download/trouble.	keyword
ocsf.http_request.url.path	The URL path as extracted from the URL. For example, /download/trouble from www.example.com/download/trouble.	keyword
ocsf.http_request.url.port	The URL port. For example, 80.	long
ocsf.http_request.url.query_string	The query portion of the URL. For example, the query portion of the URL http://www.example.com/search?q=bad\&sort=date is q=bad&sort=date.	keyword
ocsf.http_request.url.resource_type	The context in which a resource was retrieved in a web request.	keyword
ocsf.http_request.url.scheme	The scheme portion of the URL. For example, http, https, ftp, or sftp.	keyword
ocsf.http_request.url.subdomain	The subdomain portion of the URL. For example, sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com.	keyword
ocsf.http_request.url.url_string	The URL string. See RFC 1738. For example, http://www.example.com/download/trouble.exe.	keyword
ocsf.http_request.user_agent	The request header that identifies the operating system and web browser.	keyword
ocsf.http_request.version	The Hypertext Transfer Protocol (HTTP) version.	keyword
ocsf.http_request.x_forwarded_for	The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.	ip
ocsf.http_response.code	The numeric code sent from the web server to the requester.	long
ocsf.http_response.content_type	The request header that identifies the original media type of the resource (prior to any content encoding applied for sending).	keyword
ocsf.http_response.latency	The HTTP response latency. In seconds, milliseconds, etc.	long
ocsf.http_response.length	The HTTP response length, in number of bytes.	long
ocsf.http_response.message	The description of the event, as defined by the event source.	keyword
ocsf.http_response.status	The response status.	keyword
ocsf.http_status	The Hypertext Transfer Protocol (HTTP) status code returned to the client.	long
ocsf.identifier_cookie	The client identifier cookie during client/server exchange.	keyword
ocsf.impact	The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.impact_id	The normalized impact of the finding.	keyword
ocsf.impact_score	The impact of the finding, valid range 0-100.	long
ocsf.injection_type	The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.injection_type_id	The normalized identifier of the process injection method.	keyword
ocsf.is_cleartext	Indicates whether the credentials were passed in clear text.Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.	boolean
ocsf.is_mfa	Indicates whether Multi Factor Authentication was used during authentication.	boolean
ocsf.is_new_logon	Indicates logon is from a device not seen before or a first time account logon.	boolean
ocsf.is_remote	The attempted authentication is over a remote connection.	boolean
ocsf.is_renewal	The indication of whether this is a lease/session renewal event.	boolean
ocsf.kernel.is_system	The indication of whether the object is part of the operating system.	boolean
ocsf.kernel.name	The name of the kernel resource.	keyword
ocsf.kernel.path	The full path of the kernel resource.	keyword
ocsf.kernel.system_call	The system call that was invoked.	keyword
ocsf.kernel.type	The type of the kernel resource.	keyword
ocsf.kernel.type_id	The type id of the kernel resource.	keyword
ocsf.kill_chain.phase	The cyber kill chain phase.	keyword
ocsf.kill_chain.phase_id	The cyber kill chain phase identifier.	keyword
ocsf.lease_dur	This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1)	long
ocsf.logon_type	The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.logon_type_id	The normalized logon type identifier	keyword
ocsf.malware.classification_ids	The list of normalized identifiers of the malware classifications.	keyword
ocsf.malware.classifications	The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.	keyword
ocsf.malware.cves.created_time	The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.	date
ocsf.malware.cves.created_time_dt	The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.	date
ocsf.malware.cves.cvss.base_score	The CVSS base score.	double
ocsf.malware.cves.cvss.depth	The CVSS depth represents a depth of the equation used to calculate CVSS score.	keyword
ocsf.malware.cves.cvss.metrics.name	The name of the metric.	keyword
ocsf.malware.cves.cvss.metrics.value	The value of the metric.	keyword
ocsf.malware.cves.cvss.overall_score	The CVSS overall score, impacted by base, temporal, and environmental metrics.	double
ocsf.malware.cves.cvss.severity	The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.	keyword
ocsf.malware.cves.cvss.vector_string	The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.	keyword
ocsf.malware.cves.cvss.version	The CVSS version.	keyword
ocsf.malware.cves.cwe_uid	The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.	keyword
ocsf.malware.cves.cwe_url	Common Weakness Enumeration (CWE) definition URL.	keyword
ocsf.malware.cves.modified_time	The Record Modified Date identifies when the CVE record was last updated.	date
ocsf.malware.cves.modified_time_dt	The Record Modified Date identifies when the CVE record was last updated.	date
ocsf.malware.cves.product.feature.name	The name of the feature.	keyword
ocsf.malware.cves.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.malware.cves.product.feature.version	The version of the feature.	keyword
ocsf.malware.cves.product.lang	The two letter lower case language codes, as defined by ISO 639-1.	keyword
ocsf.malware.cves.product.name	The name of the product.	keyword
ocsf.malware.cves.product.path	The installation path of the product.	keyword
ocsf.malware.cves.product.uid	The unique identifier of the product.	keyword
ocsf.malware.cves.product.url_string	The URL pointing towards the product.	keyword
ocsf.malware.cves.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.malware.cves.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.malware.cves.type	The vulnerability type as selected from a large dropdown menu during CVE refinement.	keyword
ocsf.malware.cves.uid	The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.	keyword
ocsf.malware.name	The malware name, as reported by the detection engine.	keyword
ocsf.malware.path	The filesystem path of the malware that was observed.	keyword
ocsf.malware.provider	The provider of the malware information.	keyword
ocsf.malware.uid	The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.	keyword
ocsf.message	The description of the event, as defined by the event source.	keyword
ocsf.metadata.correlation_uid	The unique identifier used to correlate events.	keyword
ocsf.metadata.event_code	The Event ID or Code that the product uses to describe the event.	keyword
ocsf.metadata.extension.name	The schema extension name. For example: dev.	keyword
ocsf.metadata.extension.uid	The schema extension unique identifier. For example: 999.	keyword
ocsf.metadata.extension.version	The schema extension version. For example: 1.0.0-alpha.2.	keyword
ocsf.metadata.labels	The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.	keyword
ocsf.metadata.log_name	The event log name. For example, syslog file name or Windows logging subsystem: Security.	keyword
ocsf.metadata.log_provider	The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.	keyword
ocsf.metadata.log_version	The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.	keyword
ocsf.metadata.logged_time	The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.	date
ocsf.metadata.logged_time_dt	The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.	date
ocsf.metadata.modified_time	The time when the event was last modified or enriched.	date
ocsf.metadata.modified_time_dt	The time when the event was last modified or enriched.	date
ocsf.metadata.original_time	The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.	keyword
ocsf.metadata.processed_time	The event processed time, such as an ETL operation.	date
ocsf.metadata.processed_time_dt	The event processed time, such as an ETL operation.	date
ocsf.metadata.product.feature.name	The name of the feature.	keyword
ocsf.metadata.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.metadata.product.feature.version	The version of the feature.	keyword
ocsf.metadata.product.lang	The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.metadata.product.name	The name of the product.	keyword
ocsf.metadata.product.path	The installation path of the product.	keyword
ocsf.metadata.product.uid	The unique identifier of the product.	keyword
ocsf.metadata.product.url_string	The URL pointing towards the product.	keyword
ocsf.metadata.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.metadata.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.metadata.profiles	The list of profiles used to create the event.	keyword
ocsf.metadata.sequence	Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.	long
ocsf.metadata.uid	The logging system-assigned unique identifier of an event instance.	keyword
ocsf.metadata.version	The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.	keyword
ocsf.module.base_address	The memory address where the module was loaded.	keyword
ocsf.module.file.accessed_time	The time when the file was last accessed.	date
ocsf.module.file.accessed_time_dt	The time when the file was last accessed.	date
ocsf.module.file.accessor.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.module.file.accessor.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.accessor.account.type_id	The normalized account type identifier.	keyword
ocsf.module.file.accessor.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.module.file.accessor.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.module.file.accessor.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.module.file.accessor.email_addr	The user's email address.	keyword
ocsf.module.file.accessor.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.module.file.accessor.groups.desc	The group description.	keyword
ocsf.module.file.accessor.groups.name	The group name.	keyword
ocsf.module.file.accessor.groups.privileges	The group privileges.	keyword
ocsf.module.file.accessor.groups.type	The type of the group or account.	keyword
ocsf.module.file.accessor.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.module.file.accessor.name	The username. For example, janedoe1.	keyword
ocsf.module.file.accessor.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.module.file.accessor.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.module.file.accessor.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.module.file.accessor.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.module.file.accessor.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.module.file.accessor.type_id	The account type identifier.	keyword
ocsf.module.file.accessor.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.module.file.accessor.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.module.file.attributes	The Bitmask value that represents the file attributes.	long
ocsf.module.file.company_name	The name of the company that published the file. For example: Microsoft Corporation.	keyword
ocsf.module.file.confidentiality	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.confidentiality_id	The normalized identifier of the file content confidentiality indicator.	keyword
ocsf.module.file.created_time	The time when the file was created.	date
ocsf.module.file.created_time_dt	The time when the file was created.	date
ocsf.module.file.creator.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.module.file.creator.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.creator.account.type_id	The normalized account type identifier.	keyword
ocsf.module.file.creator.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.module.file.creator.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.module.file.creator.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.module.file.creator.email_addr	The user's email address.	keyword
ocsf.module.file.creator.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.module.file.creator.groups.desc	The group description.	keyword
ocsf.module.file.creator.groups.name	The group name.	keyword
ocsf.module.file.creator.groups.privileges	The group privileges.	keyword
ocsf.module.file.creator.groups.type	The type of the group or account.	keyword
ocsf.module.file.creator.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.module.file.creator.name	The username. For example, janedoe1.	keyword
ocsf.module.file.creator.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.module.file.creator.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.module.file.creator.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.module.file.creator.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.module.file.creator.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.module.file.creator.type_id	The account type identifier.	keyword
ocsf.module.file.creator.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.module.file.creator.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.module.file.desc	The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.	keyword
ocsf.module.file.hashes.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.hashes.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.module.file.hashes.value	The digital fingerprint value.	keyword
ocsf.module.file.is_system	The indication of whether the object is part of the operating system.	boolean
ocsf.module.file.mime_type	The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.	keyword
ocsf.module.file.modified_time	The time when the file was last modified.	date
ocsf.module.file.modified_time_dt	The time when the file was last modified.	date
ocsf.module.file.modifier.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.module.file.modifier.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.modifier.account.type_id	The normalized account type identifier.	keyword
ocsf.module.file.modifier.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.module.file.modifier.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.module.file.modifier.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.module.file.modifier.email_addr	The user's email address.	keyword
ocsf.module.file.modifier.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.module.file.modifier.groups.desc	The group description.	keyword
ocsf.module.file.modifier.groups.name	The group name.	keyword
ocsf.module.file.modifier.groups.privileges	The group privileges.	keyword
ocsf.module.file.modifier.groups.type	The type of the group or account.	keyword
ocsf.module.file.modifier.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.module.file.modifier.name	The username. For example, janedoe1.	keyword
ocsf.module.file.modifier.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.module.file.modifier.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.module.file.modifier.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.module.file.modifier.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.module.file.modifier.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.module.file.modifier.type_id	The account type identifier.	keyword
ocsf.module.file.modifier.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.module.file.modifier.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.module.file.name	The name of the file. For example: svchost.exe.	keyword
ocsf.module.file.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.module.file.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.module.file.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.module.file.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.module.file.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.module.file.owner.email_addr	The user's email address.	keyword
ocsf.module.file.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.module.file.owner.groups.desc	The group description.	keyword
ocsf.module.file.owner.groups.name	The group name.	keyword
ocsf.module.file.owner.groups.privileges	The group privileges.	keyword
ocsf.module.file.owner.groups.type	The type of the group or account.	keyword
ocsf.module.file.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.module.file.owner.name	The username. For example, janedoe1.	keyword
ocsf.module.file.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.module.file.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.module.file.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.module.file.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.module.file.owner.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.module.file.owner.type_id	The account type identifier.	keyword
ocsf.module.file.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.module.file.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.module.file.parent_folder	The parent folder in which the file resides. For example: c:\windows\system32.	keyword
ocsf.module.file.path	The full path to the file. For example: c:\windows\system32\svchost.exe.	keyword
ocsf.module.file.product.feature.name	The name of the feature.	keyword
ocsf.module.file.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.module.file.product.feature.version	The version of the feature.	keyword
ocsf.module.file.product.lang	The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.module.file.product.name	The name of the product.	keyword
ocsf.module.file.product.path	The installation path of the product.	keyword
ocsf.module.file.product.uid	The unique identifier of the product.	keyword
ocsf.module.file.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.module.file.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.module.file.security_descriptor	The object security descriptor.	keyword
ocsf.module.file.signature.algorithm	The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.signature.algorithm_id	The identifier of the normalized digital signature algorithm.	keyword
ocsf.module.file.signature.certificate.created_time	The time when the certificate was created.	date
ocsf.module.file.signature.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.module.file.signature.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.module.file.signature.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.module.file.signature.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.signature.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.module.file.signature.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.module.file.signature.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.module.file.signature.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.module.file.signature.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.module.file.signature.certificate.version	The certificate version.	keyword
ocsf.module.file.signature.created_time	The time when the digital signature was created.	date
ocsf.module.file.signature.created_time_dt	The time when the digital signature was created.	date
ocsf.module.file.signature.developer_uid	The developer ID on the certificate that signed the file.	keyword
ocsf.module.file.signature.digest.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.module.file.signature.digest.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.module.file.signature.digest.value	The digital fingerprint value.	keyword
ocsf.module.file.size	The size of data, in bytes.	long
ocsf.module.file.type	The file type.	keyword
ocsf.module.file.type_id	The file type ID.	keyword
ocsf.module.file.uid	The unique identifier of the file as defined by the storage system, such the file system file ID.	keyword
ocsf.module.file.version	The file version. For example: 8.0.7601.17514.	keyword
ocsf.module.file.xattributes	An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.	flattened
ocsf.module.function_name	The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.	keyword
ocsf.module.load_type	The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.	keyword
ocsf.module.load_type_id	The normalized identifier of the load type. It identifies how the module was loaded in memory.	keyword
ocsf.module.start_address	The start address of the execution.	keyword
ocsf.module.type	The module type.	keyword
ocsf.name	The name of the data affiliated with the command.	keyword
ocsf.nist	The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.	keyword
ocsf.observables.name	The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.	keyword
ocsf.observables.reputation.base_score	The reputation score as reported by the event source.	double
ocsf.observables.reputation.provider	The provider of the reputation information.	keyword
ocsf.observables.reputation.score	The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.observables.reputation.score_id	The normalized reputation score identifier.	keyword
ocsf.observables.type	The observable value type name.	keyword
ocsf.observables.type_id	The observable value type identifier.	keyword
ocsf.observables.value	The value associated with the observable attribute.	keyword
ocsf.open_type	Indicates how the file was opened (e.g. normal, delete on close).	keyword
ocsf.port	The dynamic port established for impending data transfers.	long
ocsf.privileges	The list of sensitive privileges, assigned to the new user session.	keyword
ocsf.protocol_ver	The Protocol version.	keyword
ocsf.proxy.domain	The name of the domain.	keyword
ocsf.proxy.hostname	The fully qualified name of the endpoint.	keyword
ocsf.proxy.instance_uid	The unique identifier of a VM instance.	keyword
ocsf.proxy.interface_name	The name of the network interface (e.g. eth2).	keyword
ocsf.proxy.interface_uid	The unique identifier of the network interface.	keyword
ocsf.proxy.intermediate_ips	The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.	ip
ocsf.proxy.ip	The IP address of the endpoint, in either IPv4 or IPv6 format.	ip
ocsf.proxy.location.city	The name of the city.	keyword
ocsf.proxy.location.continent	The name of the continent.	keyword
ocsf.proxy.location.coordinates	A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.	geo_point
ocsf.proxy.location.country	The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.	keyword
ocsf.proxy.location.desc	The description of the geographical location.	keyword
ocsf.proxy.location.is_on_premises	The indication of whether the location is on premises.	boolean
ocsf.proxy.location.isp	The name of the Internet Service Provider (ISP).	keyword
ocsf.proxy.location.postal_code	The postal code of the location.	keyword
ocsf.proxy.location.provider	The provider of the geographical location data.	keyword
ocsf.proxy.location.region	The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.	keyword
ocsf.proxy.mac	The Media Access Control (MAC) address of the endpoint.	keyword
ocsf.proxy.name	The short name of the endpoint.	keyword
ocsf.proxy.port	The port used for communication within the network connection.	long
ocsf.proxy.subnet_uid	The unique identifier of a virtual subnet.	keyword
ocsf.proxy.svc_name	The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.	keyword
ocsf.proxy.uid	The unique identifier of the endpoint.	keyword
ocsf.proxy.vlan_uid	The Virtual LAN identifier.	keyword
ocsf.proxy.vpc_uid	The unique identifier of the Virtual Private Cloud (VPC).	keyword
ocsf.query.class	The class of resource records being queried. See RFC1035. For example: IN.	keyword
ocsf.query.hostname	The hostname or domain being queried. For example: www.example.com	keyword
ocsf.query.opcode	The DNS opcode specifies the type of the query message.	keyword
ocsf.query.opcode_id	The DNS opcode ID specifies the normalized query message type.	keyword
ocsf.query.packet_uid	The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.	keyword
ocsf.query.type	The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.	keyword
ocsf.query_time	The Domain Name System (DNS) query time.	date
ocsf.query_time_dt	The Domain Name System (DNS) query time.	date
ocsf.raw_data	The event data as received from the event source.	flattened
ocsf.raw_data_keyword		keyword
ocsf.rcode	The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.rcode_id	The normalized identifier of the DNS server response code.	keyword
ocsf.relay.hostname	The hostname associated with the network interface.	keyword
ocsf.relay.ip	The IP address associated with the network interface.	ip
ocsf.relay.mac	The MAC address of the network interface.	keyword
ocsf.relay.name	The name of the network interface.	keyword
ocsf.relay.namespace	The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate.	keyword
ocsf.relay.subnet_prefix	The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.	long
ocsf.relay.type	The type of network interface.	keyword
ocsf.relay.type_id	The network interface type identifier.	keyword
ocsf.relay.uid	The unique identifier for the network interface.	keyword
ocsf.remote_display.color_depth	The numeric color depth.	long
ocsf.remote_display.physical_height	The numeric physical height of display.	long
ocsf.remote_display.physical_orientation	The numeric physical orientation of display.	long
ocsf.remote_display.physical_width	The numeric physical width of display.	long
ocsf.remote_display.scale_factor	The numeric scale factor of display.	long
ocsf.request.flags	The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.	date
ocsf.request.uid	The unique request identifier.	keyword
ocsf.requested_permissions	The permissions mask that were requested by the process.	long
ocsf.resource.cloud_partition	The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).	keyword
ocsf.resource.criticality	The criticality of the resource as defined by the event source.	keyword
ocsf.resource.data	Additional data describing the resource.	flattened
ocsf.resource.group.desc	The group description.	keyword
ocsf.resource.group.name	The group name.	keyword
ocsf.resource.group.privileges	The group privileges.	keyword
ocsf.resource.group.type	The type of the group or account.	keyword
ocsf.resource.group.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.resource.labels	The list of labels/tags associated to a resource.	keyword
ocsf.resource.name	The name of the resource.	keyword
ocsf.resource.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.resource.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.resource.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.resource.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.resource.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.resource.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.resource.owner.email_addr	The user's email address.	keyword
ocsf.resource.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.resource.owner.groups.desc	The group description.	keyword
ocsf.resource.owner.groups.name	The group name.	keyword
ocsf.resource.owner.groups.privileges	The group privileges.	keyword
ocsf.resource.owner.groups.type	The type of the group or account.	keyword
ocsf.resource.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.resource.owner.name	The username. For example, janedoe1.	keyword
ocsf.resource.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.resource.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.resource.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.resource.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.resource.owner.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.resource.owner.type_id	The account type identifier.	keyword
ocsf.resource.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.resource.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.resource.region	The cloud region of the resource.	keyword
ocsf.resource.type	The resource type as defined by the event source.	keyword
ocsf.resource.uid	The unique identifier of the resource.	keyword
ocsf.resource.version	The version of the resource. For example 1.2.3.	keyword
ocsf.resources.cloud_partition	The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).	keyword
ocsf.resources.criticality	The criticality of the resource as defined by the event source.	keyword
ocsf.resources.data	Additional data describing the resource.	flattened
ocsf.resources.group.desc	The group description.	keyword
ocsf.resources.group.name	The group name.	keyword
ocsf.resources.group.privileges	The group privileges.	keyword
ocsf.resources.group.type	The type of the group or account.	keyword
ocsf.resources.group.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.resources.labels	The list of labels/tags associated to a resource.	keyword
ocsf.resources.name	The name of the resource.	keyword
ocsf.resources.owner.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.resources.owner.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.resources.owner.account.type_id	The normalized account type identifier.	keyword
ocsf.resources.owner.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.resources.owner.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.resources.owner.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.resources.owner.email_addr	The user's email address.	keyword
ocsf.resources.owner.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.resources.owner.groups.desc	The group description.	keyword
ocsf.resources.owner.groups.name	The group name.	keyword
ocsf.resources.owner.groups.privileges	The group privileges.	keyword
ocsf.resources.owner.groups.type	The type of the group or account.	keyword
ocsf.resources.owner.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.resources.owner.name	The username. For example, janedoe1.	keyword
ocsf.resources.owner.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.resources.owner.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.resources.owner.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.resources.owner.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.resources.owner.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.resources.owner.type_id	The account type identifier.	keyword
ocsf.resources.owner.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.resources.owner.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.resources.region	The cloud region of the resource.	keyword
ocsf.resources.type	The resource type as defined by the event source.	keyword
ocsf.resources.uid	The unique identifier of the resource.	keyword
ocsf.resources.version	The version of the resource. For example 1.2.3.	keyword
ocsf.response.code	The numeric response sent to a request.	long
ocsf.response.error	Error Code.	keyword
ocsf.response.error_message	Error Message.	keyword
ocsf.response.flags	The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.	keyword
ocsf.response.message	The description of the event, as defined by the event source.	keyword
ocsf.response_time	The Domain Name System (DNS) response time.	date
ocsf.response_time_dt	The Domain Name System (DNS) response time.	date
ocsf.risk_level	The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.risk_level_id	The normalized risk level id.	keyword
ocsf.risk_score	The risk score as reported by the event source.	long
ocsf.server_hassh.algorithm	The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation.	keyword
ocsf.server_hassh.fingerprint.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.server_hassh.fingerprint.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.server_hassh.fingerprint.value	The digital fingerprint value.	keyword
ocsf.service.labels	The list of labels associated with the service.	keyword
ocsf.service.name	The name of the service.	keyword
ocsf.service.uid	The unique identifier of the service.	keyword
ocsf.service.version	The version of the service.	keyword
ocsf.session.created_time	The time when the session was created.	date
ocsf.session.created_time_dt	The time when the session was created.	date
ocsf.session.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.session.expiration_time	The session expiration time.	date
ocsf.session.expiration_time_dt	The session expiration time.	date
ocsf.session.is_remote	The indication of whether the session is remote.	boolean
ocsf.session.issuer	The identifier of the session issuer.	keyword
ocsf.session.mfa		boolean
ocsf.session.uid	The unique identifier of the session.	keyword
ocsf.session.uuid	The universally unique identifier of the session.	keyword
ocsf.severity	The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.severity_id	The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.	long
ocsf.share	The SMB share name.	keyword
ocsf.share_type	The SMB share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.share_type_id	The normalized identifier of the SMB share type.	keyword
ocsf.size	The memory size that was access or requested.	long
ocsf.smtp_hello	The value of the SMTP HELO or EHLO command sent by the initiator (client).	keyword
ocsf.src_endpoint.domain	The name of the domain.	keyword
ocsf.src_endpoint.hostname	The fully qualified name of the endpoint.	keyword
ocsf.src_endpoint.instance_uid	The unique identifier of a VM instance.	keyword
ocsf.src_endpoint.interface_name	The name of the network interface (e.g. eth2).	keyword
ocsf.src_endpoint.interface_uid	The unique identifier of the network interface.	keyword
ocsf.src_endpoint.intermediate_ips	The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.	ip
ocsf.src_endpoint.ip	The IP address of the endpoint, in either IPv4 or IPv6 format.	ip
ocsf.src_endpoint.location.city	The name of the city.	keyword
ocsf.src_endpoint.location.continent	The name of the continent.	keyword
ocsf.src_endpoint.location.coordinates	A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.	geo_point
ocsf.src_endpoint.location.country	The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.	keyword
ocsf.src_endpoint.location.desc	The description of the geographical location.	keyword
ocsf.src_endpoint.location.is_on_premises	The indication of whether the location is on premises.	boolean
ocsf.src_endpoint.location.isp	The name of the Internet Service Provider (ISP).	keyword
ocsf.src_endpoint.location.postal_code	The postal code of the location.	keyword
ocsf.src_endpoint.location.provider	The provider of the geographical location data.	keyword
ocsf.src_endpoint.location.region	The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.	keyword
ocsf.src_endpoint.mac	The Media Access Control (MAC) address of the endpoint.	keyword
ocsf.src_endpoint.name	The short name of the endpoint.	keyword
ocsf.src_endpoint.port	The port used for communication within the network connection.	long
ocsf.src_endpoint.subnet_uid	The unique identifier of a virtual subnet.	keyword
ocsf.src_endpoint.svc_name	The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.	keyword
ocsf.src_endpoint.uid	The unique identifier of the endpoint.	keyword
ocsf.src_endpoint.vlan_uid	The Virtual LAN identifier.	keyword
ocsf.src_endpoint.vpc_uid	The unique identifier of the Virtual Private Cloud (VPC).	keyword
ocsf.start_time	The start time of a time period, or the time of the least recent event included in the aggregate event.	date
ocsf.start_time_dt	The start time of a time period, or the time of the least recent event included in the aggregate event.	date
ocsf.state	The normalized state of a security finding.	keyword
ocsf.state_id	The normalized state identifier of a security finding.	keyword
ocsf.status	The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.status_code	The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.	keyword
ocsf.status_detail	The status details contains additional information about the event outcome.	keyword
ocsf.status_id	The normalized identifier of the event status.	keyword
ocsf.time	The normalized event occurrence time.	date
ocsf.time_dt	The normalized event occurrence time.	date
ocsf.timezone_offset	The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.	long
ocsf.tls.alert	The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246.	long
ocsf.tls.certificate.created_time	The time when the certificate was created.	date
ocsf.tls.certificate.created_time_dt	The time when the certificate was created.	date
ocsf.tls.certificate.expiration_time	The expiration time of the certificate.	date
ocsf.tls.certificate.expiration_time_dt	The expiration time of the certificate.	date
ocsf.tls.certificate.fingerprints.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.tls.certificate.fingerprints.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.tls.certificate.fingerprints.value	The digital fingerprint value.	keyword
ocsf.tls.certificate.issuer	The certificate issuer distinguished name.	keyword
ocsf.tls.certificate.serial_number	The serial number of the certificate used to create the digital signature.	keyword
ocsf.tls.certificate.subject	The certificate subject distinguished name.	keyword
ocsf.tls.certificate.version	The certificate version.	keyword
ocsf.tls.certificate_chain	The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.	keyword
ocsf.tls.cipher	The negotiated cipher suite.	keyword
ocsf.tls.client_ciphers	The client cipher suites that were exchanged during the TLS handshake negotiation.	keyword
ocsf.tls.extension_list.data	The data contains information specific to the particular extension type.	flattened
ocsf.tls.extension_list.type	The TLS extension type. For example: Server Name.	keyword
ocsf.tls.extension_list.type_id	The TLS extension type identifier. See The Transport Layer Security (TLS) extension page.	keyword
ocsf.tls.handshake_dur	The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.	long
ocsf.tls.ja3_hash.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.tls.ja3_hash.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.tls.ja3_hash.value	The digital fingerprint value.	keyword
ocsf.tls.ja3s_hash.algorithm	The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.tls.ja3s_hash.algorithm_id	The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.	keyword
ocsf.tls.ja3s_hash.value	The digital fingerprint value.	keyword
ocsf.tls.key_length	The length of the encryption key.	long
ocsf.tls.sans.name	Name of SAN (e.g. The actual IP Address or domain.)	keyword
ocsf.tls.sans.type	Type descriptor of SAN (e.g. IP Address/domain/etc.)	keyword
ocsf.tls.server_ciphers	The server cipher suites that were exchanged during the TLS handshake negotiation.	keyword
ocsf.tls.sni	The Server Name Indication (SNI) extension sent by the client.	keyword
ocsf.tls.version	The TLS protocol version.	keyword
ocsf.traffic.bytes	The total number of bytes (in and out).	long
ocsf.traffic.bytes_in	The number of bytes sent from the destination to the source.	long
ocsf.traffic.bytes_out	The number of bytes sent from the source to the destination.	long
ocsf.traffic.packets	The total number of packets (in and out).	long
ocsf.traffic.packets_in	The number of packets sent from the destination to the source.	long
ocsf.traffic.packets_out	The number of packets sent from the source to the destination.	long
ocsf.transaction_uid	The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair.	keyword
ocsf.tree_uid	The tree id is a unique SMB identifier which represents an open connection to a share.	keyword
ocsf.type	The type of FTP network connection (e.g. active, passive).	keyword
ocsf.type_name	The event type name, as defined by the type_uid.	keyword
ocsf.type_uid	The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.	keyword
ocsf.unmapped	The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.	flattened
ocsf.url.categories	The Website categorization names, as defined by category_ids enum values.	keyword
ocsf.url.category_ids	The Website categorization identifies.	keyword
ocsf.url.hostname	The URL host as extracted from the URL.	keyword
ocsf.url.path	The URL path as extracted from the URL.	keyword
ocsf.url.port	The URL port.	long
ocsf.url.query_string	The query portion of the URL.	keyword
ocsf.url.resource_type	The context in which a resource was retrieved in a web request.	keyword
ocsf.url.scheme	The scheme portion of the URL.	keyword
ocsf.url.subdomain	The subdomain portion of the URL.	keyword
ocsf.url.url_string	The URL string. See RFC 1738.	keyword
ocsf.user.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.user.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.user.account.type_id	The normalized account type identifier.	keyword
ocsf.user.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.user.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.user.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.user.email_addr	The user's email address.	keyword
ocsf.user.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.user.groups.desc	The group description.	keyword
ocsf.user.groups.name	The group name.	keyword
ocsf.user.groups.privileges	The group privileges.	keyword
ocsf.user.groups.type	The type of the group or account.	keyword
ocsf.user.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.user.name	The username. For example, janedoe1.	keyword
ocsf.user.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.user.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.user.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.user.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.user.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.user.type_id	The account type identifier.	keyword
ocsf.user.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.user.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.user_result.account.name	The name of the account (e.g. GCP Account Name).	keyword
ocsf.user_result.account.type	The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.	keyword
ocsf.user_result.account.type_id	The normalized account type identifier.	keyword
ocsf.user_result.account.uid	The unique identifier of the account (e.g. AWS Account ID).	keyword
ocsf.user_result.credential_uid	The unique identifier of the user's credential. For example, AWS Access Key ID.	keyword
ocsf.user_result.domain	The domain where the user is defined. For example: the LDAP or Active Directory domain.	keyword
ocsf.user_result.email_addr	The user's email address.	keyword
ocsf.user_result.full_name	The full name of the person, as per the LDAP Common Name attribute (cn).	keyword
ocsf.user_result.groups.desc	The group description.	keyword
ocsf.user_result.groups.name	The group name.	keyword
ocsf.user_result.groups.privileges	The group privileges.	keyword
ocsf.user_result.groups.type	The type of the group or account.	keyword
ocsf.user_result.groups.uid	The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.	keyword
ocsf.user_result.name	The username. For example, janedoe1.	keyword
ocsf.user_result.org.name	The name of the organization. For example, Widget, Inc.	keyword
ocsf.user_result.org.ou_name	The name of the organizational unit, within an organization. For example, Finance, IT, R&D.	keyword
ocsf.user_result.org.ou_uid	The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.	keyword
ocsf.user_result.org.uid	The unique identifier of the organization. For example, its Active Directory or AWS Org ID.	keyword
ocsf.user_result.type	The type of the user. For example, System, AWS IAM User, etc.	keyword
ocsf.user_result.type_id	The account type identifier.	keyword
ocsf.user_result.uid	The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.	keyword
ocsf.user_result.uid_alt	The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.	keyword
ocsf.vulnerabilities.cve.created_time	The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.	date
ocsf.vulnerabilities.cve.created_time_dt	The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.	date
ocsf.vulnerabilities.cve.cvss.base_score	The CVSS base score. For example: 9.1.	double
ocsf.vulnerabilities.cve.cvss.depth	The CVSS depth represents a depth of the equation used to calculate CVSS score.	keyword
ocsf.vulnerabilities.cve.cvss.metrics.name	The name of the metric.	keyword
ocsf.vulnerabilities.cve.cvss.metrics.value	The value of the metric.	keyword
ocsf.vulnerabilities.cve.cvss.overall_score	The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.	double
ocsf.vulnerabilities.cve.cvss.severity	The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.	keyword
ocsf.vulnerabilities.cve.cvss.vector_string	The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.	keyword
ocsf.vulnerabilities.cve.cvss.version	The CVSS version. For example: 3.1.	keyword
ocsf.vulnerabilities.cve.cwe_uid	The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.	keyword
ocsf.vulnerabilities.cve.cwe_url	Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.	keyword
ocsf.vulnerabilities.cve.modified_time	The Record Modified Date identifies when the CVE record was last updated.	date
ocsf.vulnerabilities.cve.modified_time_dt	The Record Modified Date identifies when the CVE record was last updated.	date
ocsf.vulnerabilities.cve.product.feature.name	The name of the feature.	keyword
ocsf.vulnerabilities.cve.product.feature.uid	The unique identifier of the feature.	keyword
ocsf.vulnerabilities.cve.product.feature.version	The version of the feature.	keyword
ocsf.vulnerabilities.cve.product.lang	The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).	keyword
ocsf.vulnerabilities.cve.product.name	The name of the product.	keyword
ocsf.vulnerabilities.cve.product.path	The installation path of the product.	keyword
ocsf.vulnerabilities.cve.product.uid	The unique identifier of the product.	keyword
ocsf.vulnerabilities.cve.product.url_string	The URL pointing towards the product.	keyword
ocsf.vulnerabilities.cve.product.vendor_name	The name of the vendor of the product.	keyword
ocsf.vulnerabilities.cve.product.version	The version of the product, as defined by the event source. For example: 2013.1.3-beta.	keyword
ocsf.vulnerabilities.cve.type	The vulnerability type as selected from a large dropdown menu during CVE refinement.	keyword
ocsf.vulnerabilities.cve.uid	The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.	keyword
ocsf.vulnerabilities.desc	The description of the vulnerability.	keyword
ocsf.vulnerabilities.fix_available	Indicates if a fix is available for the reported vulnerability.	boolean
ocsf.vulnerabilities.kb_articles	The KB article/s related to the entity.	keyword
ocsf.vulnerabilities.packages.architecture	Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.	keyword
ocsf.vulnerabilities.packages.epoch	The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.	long
ocsf.vulnerabilities.packages.license	The software license applied to this package.	keyword
ocsf.vulnerabilities.packages.name	The software package name.	keyword
ocsf.vulnerabilities.packages.release	Release is the number of times a version of the software has been packaged.	keyword
ocsf.vulnerabilities.packages.version	The software package version.	keyword
ocsf.vulnerabilities.references	Supporting reference URLs.	keyword
ocsf.vulnerabilities.related_vulnerabilities	List of vulnerabilities that are related to this vulnerability.	keyword
ocsf.vulnerabilities.severity	The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source.	keyword
ocsf.vulnerabilities.title	The title of the vulnerability.	keyword
ocsf.vulnerabilities.vendor_name	The vendor who identified the vulnerability.	keyword
ocsf.web_resources.data	Details of the web resource, e.g, file details, search results or application-defined resource.	flattened
ocsf.web_resources.desc	Description of the web resource.	keyword
ocsf.web_resources.labels	The list of labels/tags associated to a resource.	keyword
ocsf.web_resources.name	The name of the web resource.	keyword
ocsf.web_resources.type	The web resource type as defined by the event source.	keyword
ocsf.web_resources.uid	The unique identifier of the web resource.	keyword
ocsf.web_resources.url_string	The URL pointing towards the source of the web resource.	keyword
ocsf.web_resources_result.data	Details of the web resource, e.g, file details, search results or application-defined resource.	flattened
ocsf.web_resources_result.desc	Description of the web resource.	keyword
ocsf.web_resources_result.labels	The list of labels/tags associated to a resource.	keyword
ocsf.web_resources_result.name	The name of the web resource.	keyword
ocsf.web_resources_result.type	The web resource type as defined by the event source.	keyword
ocsf.web_resources_result.uid	The unique identifier of the web resource.	keyword
ocsf.web_resources_result.url_string	The URL pointing towards the source of the web resource.	keyword
process.group.id		keyword
process.group.name		keyword
process.parent.user.domain		keyword
process.parent.user.email		keyword
process.parent.user.full_name		keyword
process.parent.user.group.id		keyword
process.parent.user.group.name		keyword
process.user.domain		keyword
process.user.email		keyword
process.user.full_name		keyword
process.user.group.id		keyword
process.user.group.name		keyword
tags	User defined tags.	keyword

Changelog

Version	Details	Kibana version(s)
1.1.0	Enhancement View pull request Set sensitive values as secret.	8.12.0 or higher
1.0.1	Enhancement View pull request Changed owners	8.11.0 or higher
1.0.0	Enhancement View pull request Release package as GA.	8.11.0 or higher
0.9.0	Enhancement View pull request Add support for all the OCSF classes.	—
0.8.0	Enhancement View pull request ECS version updated to 8.11.0.	—
0.7.0	Enhancement View pull request Improve 'event.original' check to avoid errors if set.	—
0.6.0	Enhancement View pull request Add data subscriber steps.	—
0.5.0	Enhancement View pull request Remove role creation steps and add notification parsing script parameter.	—
0.4.0	Enhancement View pull request The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.	—
0.3.0	Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	—
0.2.1	Bug fix View pull request Readme indentation fixing.	—
0.2.0	Enhancement View pull request Add External ID parameter and Update User guide.	—
0.1.0	Enhancement View pull request Initial release.	—

On this page

Article navigation