146a147,175
> elf.architecture
> elf.byte_order
> elf.cpu_type
> elf.creation_date
> elf.exports
> elf.header.abi_version
> elf.header.class
> elf.header.data
> elf.header.entrypoint
> elf.header.object_version
> elf.header.os_abi
> elf.header.type
> elf.header.version
> elf.imports
> elf.sections
> elf.sections.chi2
> elf.sections.entropy
> elf.sections.flags
> elf.sections.name
> elf.sections.physical_offset
> elf.sections.physical_size
> elf.sections.type
> elf.sections.virtual_address
> elf.sections.virtual_size
> elf.segments
> elf.segments.sections
> elf.segments.type
> elf.shared_libraries
> elf.telfhash
152a182
> event.agent_id_status
190a221,249
> file.elf.architecture
> file.elf.byte_order
> file.elf.cpu_type
> file.elf.creation_date
> file.elf.exports
> file.elf.header.abi_version
> file.elf.header.class
> file.elf.header.data
> file.elf.header.entrypoint
> file.elf.header.object_version
> file.elf.header.os_abi
> file.elf.header.type
> file.elf.header.version
> file.elf.imports
> file.elf.sections
> file.elf.sections.chi2
> file.elf.sections.entropy
> file.elf.sections.flags
> file.elf.sections.name
> file.elf.sections.physical_offset
> file.elf.sections.physical_size
> file.elf.sections.type
> file.elf.sections.virtual_address
> file.elf.sections.virtual_size
> file.elf.segments
> file.elf.segments.sections
> file.elf.segments.type
> file.elf.shared_libraries
> file.elf.telfhash
439a499,527
> process.elf.architecture
> process.elf.byte_order
> process.elf.cpu_type
> process.elf.creation_date
> process.elf.exports
> process.elf.header.abi_version
> process.elf.header.class
> process.elf.header.data
> process.elf.header.entrypoint
> process.elf.header.object_version
> process.elf.header.os_abi
> process.elf.header.type
> process.elf.header.version
> process.elf.imports
> process.elf.sections
> process.elf.sections.chi2
> process.elf.sections.entropy
> process.elf.sections.flags
> process.elf.sections.name
> process.elf.sections.physical_offset
> process.elf.sections.physical_size
> process.elf.sections.type
> process.elf.sections.virtual_address
> process.elf.sections.virtual_size
> process.elf.segments
> process.elf.segments.sections
> process.elf.segments.type
> process.elf.shared_libraries
> process.elf.telfhash
458a547,575
> process.parent.elf.architecture
> process.parent.elf.byte_order
> process.parent.elf.cpu_type
> process.parent.elf.creation_date
> process.parent.elf.exports
> process.parent.elf.header.abi_version
> process.parent.elf.header.class
> process.parent.elf.header.data
> process.parent.elf.header.entrypoint
> process.parent.elf.header.object_version
> process.parent.elf.header.os_abi
> process.parent.elf.header.type
> process.parent.elf.header.version
> process.parent.elf.imports
> process.parent.elf.sections
> process.parent.elf.sections.chi2
> process.parent.elf.sections.entropy
> process.parent.elf.sections.flags
> process.parent.elf.sections.name
> process.parent.elf.sections.physical_offset
> process.parent.elf.sections.physical_size
> process.parent.elf.sections.type
> process.parent.elf.sections.virtual_address
> process.parent.elf.sections.virtual_size
> process.parent.elf.segments
> process.parent.elf.segments.sections
> process.parent.elf.segments.type
> process.parent.elf.shared_libraries
> process.parent.elf.telfhash
599a717,864
> threat.enrichments
> threat.enrichments.indicator
> threat.enrichments.indicator.as.number
> threat.enrichments.indicator.as.organization.name
> threat.enrichments.indicator.confidence
> threat.enrichments.indicator.description
> threat.enrichments.indicator.email.address
> threat.enrichments.indicator.file.accessed
> threat.enrichments.indicator.file.attributes
> threat.enrichments.indicator.file.code_signature.exists
> threat.enrichments.indicator.file.code_signature.signing_id
> threat.enrichments.indicator.file.code_signature.status
> threat.enrichments.indicator.file.code_signature.subject_name
> threat.enrichments.indicator.file.code_signature.team_id
> threat.enrichments.indicator.file.code_signature.trusted
> threat.enrichments.indicator.file.code_signature.valid
> threat.enrichments.indicator.file.created
> threat.enrichments.indicator.file.ctime
> threat.enrichments.indicator.file.device
> threat.enrichments.indicator.file.directory
> threat.enrichments.indicator.file.drive_letter
> threat.enrichments.indicator.file.elf.architecture
> threat.enrichments.indicator.file.elf.byte_order
> threat.enrichments.indicator.file.elf.cpu_type
> threat.enrichments.indicator.file.elf.creation_date
> threat.enrichments.indicator.file.elf.exports
> threat.enrichments.indicator.file.elf.header.abi_version
> threat.enrichments.indicator.file.elf.header.class
> threat.enrichments.indicator.file.elf.header.data
> threat.enrichments.indicator.file.elf.header.entrypoint
> threat.enrichments.indicator.file.elf.header.object_version
> threat.enrichments.indicator.file.elf.header.os_abi
> threat.enrichments.indicator.file.elf.header.type
> threat.enrichments.indicator.file.elf.header.version
> threat.enrichments.indicator.file.elf.imports
> threat.enrichments.indicator.file.elf.sections
> threat.enrichments.indicator.file.elf.sections.chi2
> threat.enrichments.indicator.file.elf.sections.entropy
> threat.enrichments.indicator.file.elf.sections.flags
> threat.enrichments.indicator.file.elf.sections.name
> threat.enrichments.indicator.file.elf.sections.physical_offset
> threat.enrichments.indicator.file.elf.sections.physical_size
> threat.enrichments.indicator.file.elf.sections.type
> threat.enrichments.indicator.file.elf.sections.virtual_address
> threat.enrichments.indicator.file.elf.sections.virtual_size
> threat.enrichments.indicator.file.elf.segments
> threat.enrichments.indicator.file.elf.segments.sections
> threat.enrichments.indicator.file.elf.segments.type
> threat.enrichments.indicator.file.elf.shared_libraries
> threat.enrichments.indicator.file.elf.telfhash
> threat.enrichments.indicator.file.extension
> threat.enrichments.indicator.file.gid
> threat.enrichments.indicator.file.group
> threat.enrichments.indicator.file.inode
> threat.enrichments.indicator.file.mime_type
> threat.enrichments.indicator.file.mode
> threat.enrichments.indicator.file.mtime
> threat.enrichments.indicator.file.name
> threat.enrichments.indicator.file.owner
> threat.enrichments.indicator.file.path
> threat.enrichments.indicator.file.size
> threat.enrichments.indicator.file.target_path
> threat.enrichments.indicator.file.type
> threat.enrichments.indicator.file.uid
> threat.enrichments.indicator.first_seen
> threat.enrichments.indicator.geo.city_name
> threat.enrichments.indicator.geo.continent_code
> threat.enrichments.indicator.geo.continent_name
> threat.enrichments.indicator.geo.country_iso_code
> threat.enrichments.indicator.geo.country_name
> threat.enrichments.indicator.geo.location
> threat.enrichments.indicator.geo.name
> threat.enrichments.indicator.geo.postal_code
> threat.enrichments.indicator.geo.region_iso_code
> threat.enrichments.indicator.geo.region_name
> threat.enrichments.indicator.geo.timezone
> threat.enrichments.indicator.hash.md5
> threat.enrichments.indicator.hash.sha1
> threat.enrichments.indicator.hash.sha256
> threat.enrichments.indicator.hash.sha512
> threat.enrichments.indicator.hash.ssdeep
> threat.enrichments.indicator.ip
> threat.enrichments.indicator.last_seen
> threat.enrichments.indicator.marking.tlp
> threat.enrichments.indicator.modified_at
> threat.enrichments.indicator.pe.architecture
> threat.enrichments.indicator.pe.company
> threat.enrichments.indicator.pe.description
> threat.enrichments.indicator.pe.file_version
> threat.enrichments.indicator.pe.imphash
> threat.enrichments.indicator.pe.original_file_name
> threat.enrichments.indicator.pe.product
> threat.enrichments.indicator.port
> threat.enrichments.indicator.provider
> threat.enrichments.indicator.reference
> threat.enrichments.indicator.registry.data.bytes
> threat.enrichments.indicator.registry.data.strings
> threat.enrichments.indicator.registry.data.type
> threat.enrichments.indicator.registry.hive
> threat.enrichments.indicator.registry.key
> threat.enrichments.indicator.registry.path
> threat.enrichments.indicator.registry.value
> threat.enrichments.indicator.scanner_stats
> threat.enrichments.indicator.sightings
> threat.enrichments.indicator.type
> threat.enrichments.indicator.url.domain
> threat.enrichments.indicator.url.extension
> threat.enrichments.indicator.url.fragment
> threat.enrichments.indicator.url.full
> threat.enrichments.indicator.url.original
> threat.enrichments.indicator.url.password
> threat.enrichments.indicator.url.path
> threat.enrichments.indicator.url.port
> threat.enrichments.indicator.url.query
> threat.enrichments.indicator.url.registered_domain
> threat.enrichments.indicator.url.scheme
> threat.enrichments.indicator.url.subdomain
> threat.enrichments.indicator.url.top_level_domain
> threat.enrichments.indicator.url.username
> threat.enrichments.indicator.x509.alternative_names
> threat.enrichments.indicator.x509.issuer.common_name
> threat.enrichments.indicator.x509.issuer.country
> threat.enrichments.indicator.x509.issuer.distinguished_name
> threat.enrichments.indicator.x509.issuer.locality
> threat.enrichments.indicator.x509.issuer.organization
> threat.enrichments.indicator.x509.issuer.organizational_unit
> threat.enrichments.indicator.x509.issuer.state_or_province
> threat.enrichments.indicator.x509.not_after
> threat.enrichments.indicator.x509.not_before
> threat.enrichments.indicator.x509.public_key_algorithm
> threat.enrichments.indicator.x509.public_key_curve
> threat.enrichments.indicator.x509.public_key_exponent
> threat.enrichments.indicator.x509.public_key_size
> threat.enrichments.indicator.x509.serial_number
> threat.enrichments.indicator.x509.signature_algorithm
> threat.enrichments.indicator.x509.subject.common_name
> threat.enrichments.indicator.x509.subject.country
> threat.enrichments.indicator.x509.subject.distinguished_name
> threat.enrichments.indicator.x509.subject.locality
> threat.enrichments.indicator.x509.subject.organization
> threat.enrichments.indicator.x509.subject.organizational_unit
> threat.enrichments.indicator.x509.subject.state_or_province
> threat.enrichments.indicator.x509.version_number
> threat.enrichments.matched.atomic
> threat.enrichments.matched.field
> threat.enrichments.matched.id
> threat.enrichments.matched.index
> threat.enrichments.matched.type
600a866,1015
> threat.group.alias
> threat.group.id
> threat.group.name
> threat.group.reference
> threat.indicator.as.number
> threat.indicator.as.organization.name
> threat.indicator.confidence
> threat.indicator.description
> threat.indicator.email.address
> threat.indicator.file.accessed
> threat.indicator.file.attributes
> threat.indicator.file.code_signature.exists
> threat.indicator.file.code_signature.signing_id
> threat.indicator.file.code_signature.status
> threat.indicator.file.code_signature.subject_name
> threat.indicator.file.code_signature.team_id
> threat.indicator.file.code_signature.trusted
> threat.indicator.file.code_signature.valid
> threat.indicator.file.created
> threat.indicator.file.ctime
> threat.indicator.file.device
> threat.indicator.file.directory
> threat.indicator.file.drive_letter
> threat.indicator.file.elf.architecture
> threat.indicator.file.elf.byte_order
> threat.indicator.file.elf.cpu_type
> threat.indicator.file.elf.creation_date
> threat.indicator.file.elf.exports
> threat.indicator.file.elf.header.abi_version
> threat.indicator.file.elf.header.class
> threat.indicator.file.elf.header.data
> threat.indicator.file.elf.header.entrypoint
> threat.indicator.file.elf.header.object_version
> threat.indicator.file.elf.header.os_abi
> threat.indicator.file.elf.header.type
> threat.indicator.file.elf.header.version
> threat.indicator.file.elf.imports
> threat.indicator.file.elf.sections
> threat.indicator.file.elf.sections.chi2
> threat.indicator.file.elf.sections.entropy
> threat.indicator.file.elf.sections.flags
> threat.indicator.file.elf.sections.name
> threat.indicator.file.elf.sections.physical_offset
> threat.indicator.file.elf.sections.physical_size
> threat.indicator.file.elf.sections.type
> threat.indicator.file.elf.sections.virtual_address
> threat.indicator.file.elf.sections.virtual_size
> threat.indicator.file.elf.segments
> threat.indicator.file.elf.segments.sections
> threat.indicator.file.elf.segments.type
> threat.indicator.file.elf.shared_libraries
> threat.indicator.file.elf.telfhash
> threat.indicator.file.extension
> threat.indicator.file.gid
> threat.indicator.file.group
> threat.indicator.file.inode
> threat.indicator.file.mime_type
> threat.indicator.file.mode
> threat.indicator.file.mtime
> threat.indicator.file.name
> threat.indicator.file.owner
> threat.indicator.file.path
> threat.indicator.file.size
> threat.indicator.file.target_path
> threat.indicator.file.type
> threat.indicator.file.uid
> threat.indicator.first_seen
> threat.indicator.geo.city_name
> threat.indicator.geo.continent_code
> threat.indicator.geo.continent_name
> threat.indicator.geo.country_iso_code
> threat.indicator.geo.country_name
> threat.indicator.geo.location
> threat.indicator.geo.name
> threat.indicator.geo.postal_code
> threat.indicator.geo.region_iso_code
> threat.indicator.geo.region_name
> threat.indicator.geo.timezone
> threat.indicator.hash.md5
> threat.indicator.hash.sha1
> threat.indicator.hash.sha256
> threat.indicator.hash.sha512
> threat.indicator.hash.ssdeep
> threat.indicator.ip
> threat.indicator.last_seen
> threat.indicator.marking.tlp
> threat.indicator.modified_at
> threat.indicator.pe.architecture
> threat.indicator.pe.company
> threat.indicator.pe.description
> threat.indicator.pe.file_version
> threat.indicator.pe.imphash
> threat.indicator.pe.original_file_name
> threat.indicator.pe.product
> threat.indicator.port
> threat.indicator.provider
> threat.indicator.reference
> threat.indicator.registry.data.bytes
> threat.indicator.registry.data.strings
> threat.indicator.registry.data.type
> threat.indicator.registry.hive
> threat.indicator.registry.key
> threat.indicator.registry.path
> threat.indicator.registry.value
> threat.indicator.scanner_stats
> threat.indicator.sightings
> threat.indicator.type
> threat.indicator.url.domain
> threat.indicator.url.extension
> threat.indicator.url.fragment
> threat.indicator.url.full
> threat.indicator.url.original
> threat.indicator.url.password
> threat.indicator.url.path
> threat.indicator.url.port
> threat.indicator.url.query
> threat.indicator.url.registered_domain
> threat.indicator.url.scheme
> threat.indicator.url.subdomain
> threat.indicator.url.top_level_domain
> threat.indicator.url.username
> threat.indicator.x509.alternative_names
> threat.indicator.x509.issuer.common_name
> threat.indicator.x509.issuer.country
> threat.indicator.x509.issuer.distinguished_name
> threat.indicator.x509.issuer.locality
> threat.indicator.x509.issuer.organization
> threat.indicator.x509.issuer.organizational_unit
> threat.indicator.x509.issuer.state_or_province
> threat.indicator.x509.not_after
> threat.indicator.x509.not_before
> threat.indicator.x509.public_key_algorithm
> threat.indicator.x509.public_key_curve
> threat.indicator.x509.public_key_exponent
> threat.indicator.x509.public_key_size
> threat.indicator.x509.serial_number
> threat.indicator.x509.signature_algorithm
> threat.indicator.x509.subject.common_name
> threat.indicator.x509.subject.country
> threat.indicator.x509.subject.distinguished_name
> threat.indicator.x509.subject.locality
> threat.indicator.x509.subject.organization
> threat.indicator.x509.subject.organizational_unit
> threat.indicator.x509.subject.state_or_province
> threat.indicator.x509.version_number
> threat.software.id
> threat.software.name
> threat.software.platforms
> threat.software.reference
> threat.software.type