forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnon-ecs-schema.json
58 lines (58 loc) · 1.69 KB
/
non-ecs-schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
{
"endgame-*": {
"endgame": {
"metadata": {
"type": "keyword"
},
"event_subtype_full": "keyword"
}
},
"winlogbeat-*": {
"winlog": {
"event_data": {
"AccessList": "keyword",
"AccessMask": "keyword",
"AccessMaskDescription": "keyword",
"AllowedToDelegateTo": "keyword",
"AttributeLDAPDisplayName": "keyword",
"AttributeValue": "keyword",
"CallerProcessName": "keyword",
"CallTrace": "keyword",
"ClientProcessId": "keyword",
"GrantedAccess": "keyword",
"NewTargetUserName": "keyword",
"ObjectDN": "keyword",
"ObjectName": "keyword",
"OldTargetUserName": "keyword",
"OriginalFileName": "keyword",
"ParentProcessId": "keyword",
"ProcessName": "keyword",
"Properties": "keyword",
"RelativeTargetName": "keyword",
"ShareName": "keyword",
"SubjectLogonId": "keyword",
"SubjectUserName": "keyword",
"TargetImage": "keyword",
"TargetLogonId": "keyword",
"TargetProcessGUID": "keyword",
"TargetSid": "keyword"
}
},
"winlog.logon.type": "keyword",
"powershell.file.script_block_text": "text"
},
"filebeat-*": {
"o365.audit.NewValue": "keyword",
"o365audit.Parameters.ForwardTo": "keyword",
"o365audit.Parameters.ForwardAsAttachmentTo": "keyword",
"o365audit.Parameters.RedirectTo": "keyword"
},
"logs-endpoint.events.*": {
"process.Ext.token.integrity_level_name": "keyword",
"process.parent.Ext.real.pid": "long",
"file.Ext.header_bytes": "keyword"
},
"logs-windows.*": {
"powershell.file.script_block_text": "text"
}
}