diff --git a/.backportrc.json b/.backportrc.json
index 3764fa549c..4abd8f04cd 100644
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -2,6 +2,7 @@
   "upstream": "elastic/ecs",
   "branches": [
     { "name": "master", "checked": true },
+    "8.0",
     "1.12",
     "1.11",
     "1.10",
@@ -19,7 +20,7 @@
   "targetPRLabels": ["backport"],
   "prFilter": "label:needs_backport",
   "branchLabelMapping": {
-      "^8.0.0$": "master",
+      "^8.1.0$": "master",
       "^(\\d+).(\\d+).\\d+$": "$1.$2"
   }
 }
diff --git a/.github/ISSUE_TEMPLATE/schema-changes-additions.md b/.github/ISSUE_TEMPLATE/schema-changes-additions.md
index 847af99b75..ff50c1f3fe 100644
--- a/.github/ISSUE_TEMPLATE/schema-changes-additions.md
+++ b/.github/ISSUE_TEMPLATE/schema-changes-additions.md
@@ -7,7 +7,7 @@ labels: "enhancement"
 <!--
 Please first search existing issues for the changes you are requesting; it may already exist as an open issue.
 
-Substantial schema changes or additions should follow the RFC process: https://github.com/elastic/ecs/blob/master/rfcs/README.md
+Substantial schema changes or additions should follow the RFC process: https://github.com/elastic/ecs/blob/main/rfcs/README.md
 
 Please fill in the following sections describing your proposed changes: -->
 
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index a3d2e4d9a8..5a03ece333 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -6,9 +6,9 @@ our submission, but they are here to help bring them to your attention.
 -->
 
 - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
-- Have you followed the [contributor guidelines](https://github.com/elastic/ecs/blob/master/CONTRIBUTING.md)?
-- For proposing substantial changes or additions to the schema, have you reviewed the [RFC process](https://github.com/elastic/ecs/blob/master/rfcs/README.md)?
+- Have you followed the [contributor guidelines](https://github.com/elastic/ecs/blob/main/CONTRIBUTING.md)?
+- For proposing substantial changes or additions to the schema, have you reviewed the [RFC process](https://github.com/elastic/ecs/blob/main/rfcs/README.md)?
 - If submitting code/script changes, have you verified all tests pass locally using `make test`?
 - If submitting schema/fields updates, have you generated new artifacts by running `make` and committed those changes?
-- Is your pull request against master? Unless there is a good reason otherwise, we prefer pull requests against master and will backport as needed.
-- Have you added an entry to the [CHANGELOG.next.md](https://github.com/elastic/ecs/blob/master/CHANGELOG.next.md)?
+- Is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed.
+- Have you added an entry to the [CHANGELOG.next.md](https://github.com/elastic/ecs/blob/main/CHANGELOG.next.md)?
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 821f3d5182..f467356186 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,57 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.12.1](https://github.com/elastic/ecs/compare/v1.12.0...v1.12.1)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Updating `x509` order to correct nesting. ##1621
+
+## [1.12.0](https://github.com/elastic/ecs/compare/v1.11.0...v1.12.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Updating `hash` order to correct nesting. #1603
+* Removing incorrect `hash` reuses. #1604
+* Updating `pe` order to correct nesting. #1605
+* Removing incorrect `pe` reuses. #1606
+* Correcting `enrichments` to an `array` type. #1608
+
+#### Added
+
+* Added `file.fork_name` field. #1288
+* Added `service.address` field. #1537
+* Added `service.environment` as a beta field. #1541
+* Added `process.end` field. #1544
+* Added container metric fields into experimental schema. #1546
+* Add `code_signature.digest_algorithm` and `code_signature.timestamp` fields. #1557
+* Add `email.*` field set in the experimental fields. #1569
+
+#### Improvements
+
+* Beta migration on some `keyword` fields to `wildcard`. #1517
+* Promote `threat.software.*` and `threat.group.*` fields to GA. #1540
+* Update `user.name` and `user.id` examples for clarity. #1566
+* Beta migration of `text` and `.text` multi-fields to `match_only_text`. #1532, #1571
+
+### Tooling and Artifact Changes
+
+#### Added
+
+* Support ES 6.x type fallback for `match_only_text` field types. #1528
+
+#### Bugfixes
+
+* Prevent failure if no files need to be deleted `find | xargs rm`. #1588
+
+#### Improvements
+
+* Document field type family interoperability in FAQ. #1591
+
 ## [1.11.0](https://github.com/elastic/ecs/compare/v1.10.0...v1.11.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 40a92b0a7c..aad7035d95 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -12,67 +12,68 @@ Thanks, you're awesome :-) -->
 
 #### Breaking changes
 
-* Remove `host.user.*` field reuse. #1439
-* Remove deprecation notice on `http.request.method`. #1443
-* Migrate `log.origin.file.line` from `integer` to `long`. #1533
-* Remove `log.original` field. #1580
-
 #### Bugfixes
 
 #### Added
 
 #### Improvements
 
-* Wildcard type field migration GA. #1582
-* `match_only_text` type field migration GA. #1584
-* Threat indicator fields GA from RFC 0008. #1586
-
 #### Deprecated
 
-### Tooling and Artifact Changes
+#### Removed
 
-#### Breaking Changes
+- Removing `process.target.*` reuses from experimental schema. #1666
 
-* Removing deprecated --oss from generator #1404
-* Removing use-cases directory #1405
-* Remove Go code generator. #1567
+### Tooling and Artifact Changes
+
+#### Breaking changes
 
 #### Bugfixes
 
+* Add `object` as fallback for `flattened` type. #1653
+
 #### Added
 
 #### Improvements
 
-* Remove remaining Go deps after removing Go code generator. #1585
+* Update refs from master to main in USAGE.md etc #1658
 
 #### Deprecated
 
-## 1.12.0 (Feature Freeze)
+## 8.0.0 (Feature Freeze)
 
 ### Schema Changes
 
+#### Breaking changes
+
+* Remove `host.user.*` field reuse. #1439
+* Remove deprecation notice on `http.request.method`. #1443
+* Migrate `log.origin.file.line` from `integer` to `long`. #1533
+* Remove `log.original` field. #1580
+* Remove `process.ppid` field. #1596
+
 #### Added
 
-* Added `file.fork_name` field. #1288
-* Added `service.address` field. #1537
-* Added `service.environment` as a beta field. #1541
-* Added `process.end` field. #1544
-* Added container metric fields into experimental schema. #1546
-* Add `code_signature.digest_algorithm` and `code_signature.timestamp` fields. #1557
-* Add `email.*` field set in the experimental fields. #1569
+* Added `faas.*` field set as beta. #1628
 
 #### Improvements
 
-* Beta migration on some `keyword` fields to `wildcard`. #1517
-* Promote `threat.software.*` and `threat.group.*` fields to GA. #1540
-* Update `user.name` and `user.id` examples for clarity. #1566
-* Beta migration of `text` and `.text` multi-fields to `match_only_text`. #1532, #1571
+* Wildcard type field migration GA. #1582
+* `match_only_text` type field migration GA. #1584
+* Threat indicator fields GA from RFC 0008. #1586
 
 ### Tooling and Artifact Changes
 
-#### Added
+#### Breaking Changes
 
-* Support ES 6.x type fallback for `match_only_text` field types. #1528
+* Removing deprecated --oss from generator #1404
+* Removing use-cases directory #1405
+* Remove Go code generator. #1567
+
+#### Improvements
+
+* Remove remaining Go deps after removing Go code generator. #1585
+* Add explicit `default_field: true` for Beats artifacts. #1633
 
 <!-- All empty sections:
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4af171b7c5..68f40705f8 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -101,7 +101,7 @@ Please follow these guidelines when submitting Issues:
 
 ECS follows this branching strategy:
 
-* The `master` is the next major version. It is where all new contributions are first merged. This includes new features and bug fixes, and it may also include breaking changes.
+* The `main` is the next major version. It is where all new contributions are first merged. This includes new features and bug fixes, and it may also include breaking changes.
 * The `<major>.x` is the next minor version and gets backports of most non-breaking features and fixes.
 * The `<major>.<minor>` is the next release of a minor version, including patch releases.
 
@@ -116,7 +116,7 @@ Breaking changes intended for the next major version should be included undernea
 
 ### Backports
 
-ECS maintains multiple release branches in the repo. The `master` branch is where all new contributions should be submitted, and features and bug fixes will be backported into other branches when appropriate. Any backporting needs will be handled by the ECS team.
+ECS maintains multiple release branches in the repo. The `main` branch is where all new contributions should be submitted, and features and bug fixes will be backported into other branches when appropriate. Any backporting needs will be handled by the ECS team.
 
 #### Tooling
 
diff --git a/Makefile b/Makefile
index 2388dd66ba..19e8c6ca1f 100644
--- a/Makefile
+++ b/Makefile
@@ -24,6 +24,15 @@ check: generate experimental test fmt misspell makelint
 	git update-index --refresh
 	git diff-index --exit-code HEAD --
 
+# Check for license headers
+.PHONY: check_license_headers
+check_license_headers:
+	@echo "Files missing license headers:\n"
+	@find . -type f \( -path './scripts/*' -o -path './schemas/*' \) \
+	\( -name '*.py' -o -name '*.yml' \) \
+	-print0 | xargs -0 -n1 grep -L "Licensed to Elasticsearch B.V." \
+	|| exit 0
+
 # Clean deletes all temporary and generated content.
 .PHONY: clean
 clean:
diff --git a/NOTICE.txt b/NOTICE.txt
index 1d8b82684f..14fbb7eff9 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -1,5 +1,5 @@
 Elastic Common Schema
-Copyright 2018 Elasticsearch B.V.
+Copyright 2018-2021 Elasticsearch B.V.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/README.md b/README.md
index 407c6e9b69..59011c2b8c 100644
--- a/README.md
+++ b/README.md
@@ -27,10 +27,28 @@ You can learn more in [generated/README.md](generated)
 
 ## Releases of ECS
 
-The master branch of this repository should never be considered an
+The main branch of this repository should never be considered an
 official release of ECS. You can browse official releases of ECS
 [here](https://github.com/elastic/ecs/releases).
 
 The ECS team publishes improvements to the schema by following
 [Semantic Versioning](https://semver.org/).
 Generally major ECS releases are planned to be aligned with major Elastic Stack releases.
+
+## License
+
+This software is licensed under the Apache License, version 2 ("ALv2"), quoted below.
+
+Copyright 2018-2021 Elasticsearch <https://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not
+use this file except in compliance with the License. You may obtain a copy of
+the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+License for the specific language governing permissions and limitations under
+the License.
diff --git a/USAGE.md b/USAGE.md
index 5ba60b306f..338cbb6c1f 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -135,7 +135,7 @@ Running generator. ECS version 1.5.0
 **Points to note on the defaults**:
 
 * Artifacts are created in the [`generated`](generated) directory and the entire schema is included
-* Documentation updates will be written to the appropriate file under the `docs` directory. More specifics on generated doc files is covered in the [contributor's file](https://github.com/elastic/ecs/blob/master/CONTRIBUTING.md#generated-documentation-files)
+* Documentation updates will be written to the appropriate file under the `docs` directory. More specifics on generated doc files is covered in the [contributor's file](https://github.com/elastic/ecs/blob/main/CONTRIBUTING.md#generated-documentation-files)
 * Each run of the script will rewrite the entirety of the `generated` directory
 * The script will need to be executed from the top-level of the ECS repo
 * The `version` displayed when running `generator.py` is based on the current value of the [version](version) file in the top-level of the repo
@@ -164,7 +164,7 @@ Use the `--include` flag to generate ECS artifacts based on the current ECS sche
 $ python scripts/generator.py --include ../myproject/ecs/custom-fields/
 ```
 
-The `--include` flag expects a directory of schema YAML files using the same [file format](https://github.com/elastic/ecs/tree/master/schemas#fields-supported-in-schemasyml) as the ECS schema files. This is useful for maintaining custom field definitions that are _outside_ of the ECS schema, but allows for merging the custom fields with the official ECS fields for your deployment.
+The `--include` flag expects a directory of schema YAML files using the same [file format](https://github.com/elastic/ecs/tree/main/schemas#fields-supported-in-schemasyml) as the ECS schema files. This is useful for maintaining custom field definitions that are _outside_ of the ECS schema, but allows for merging the custom fields with the official ECS fields for your deployment.
 
 For example, if we defined the following schema definition in a file named `myproject/ecs/custom-fields/widget.yml`:
 
@@ -234,14 +234,14 @@ Include can be used together with the `--ref` flag to merge custom fields into a
 
 #### Exclude
 
-Use the `--exclude` flag to generate ephemeral ECS artifacts based on the current ECS schema field definitions minus fields considered for removal, e.g. to assess impact of removing these. Warning! This is not the recommended route to remove a field permanently as it is not intentended to be invoked during the build process. Definitive field removal should be implemented using a custom [Subset](#subset) or via the [RFC process](https://github.com/elastic/ecs/tree/master/rfcs/README.md). Example:
+Use the `--exclude` flag to generate ephemeral ECS artifacts based on the current ECS schema field definitions minus fields considered for removal, e.g. to assess impact of removing these. Warning! This is not the recommended route to remove a field permanently as it is not intended to be invoked during the build process. Definitive field removal should be implemented using a custom [Subset](#subset) or via the [RFC process](https://github.com/elastic/ecs/tree/main/rfcs/README.md). Example:
 
 ```
 $ python scripts/generator.py --exclude=../my-project/my-exclude-file.yml
 $ python scripts/generator.py --exclude="../my-project/schemas/a*.yml"
 ```
 
-The `--exclude` flag expects a path to one or more YAML files using the same [file format](https://github.com/elastic/ecs/tree/master/schemas#fields-supported-in-schemasyml) as the ECS schema files. You can also use a subset, provided that relevant `name` and `fields` fields are preserved.
+The `--exclude` flag expects a path to one or more YAML files using the same [file format](https://github.com/elastic/ecs/tree/main/schemas#fields-supported-in-schemasyml) as the ECS schema files. You can also use a subset, provided that relevant `name` and `fields` fields are preserved.
 
 ```
 ---
diff --git a/docs/converting.asciidoc b/docs/converting.asciidoc
index c5d343eb0f..e23a246fa6 100644
--- a/docs/converting.asciidoc
+++ b/docs/converting.asciidoc
@@ -17,8 +17,8 @@ Before you start a conversion, be sure that you understand the basics below.
 Make sure you understand the distinction between Core and Extended fields,
 as explained in the <<ecs-guidelines>>.
 
-Core and Extended fields are documented in the <<ecs-field-reference>> or, for 
-a single page representation of all fields, please see the 
+Core and Extended fields are documented in the <<ecs-field-reference>> or, for
+a single page representation of all fields, please see the
 {ecs_github_repo_link}/generated/csv/fields.csv[generated CSV of fields].
 
 [float]
diff --git a/docs/faq.asciidoc b/docs/faq.asciidoc
index b30609ea18..5b66a40942 100644
--- a/docs/faq.asciidoc
+++ b/docs/faq.asciidoc
@@ -96,3 +96,20 @@ the ECS data itself, this is not an issue because all fields are predefined.
 
 As long as there are no conflicts, underline notation and ECS dot notation can
 coexist in the same document.
+
+[float]
+[[type-interop]]
+==== What if I want to use a different data type from the same field type family?
+
+In Elasticsearch, field types are grouped by family. Types in the same family support
+the same search functionality but may have different space usage or performance
+characteristics. For example, both `keyword` and `wildcard` types are members of the
+`keyword` family, and `text` and `match_only_text` are members of the `text` family.
+
+The field types defined in ECS provide the best default experience for most users.
+However, a different type from the same family can replace the default defined in ECS
+if required for a specific use cases. Users should understand any potential performance
+or storage differences before changing from a default field type.
+
+The Elasticsearch {ref}/mapping-types.html[mapping types] section has more information about type
+families.
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 93b659d573..d4e513c8f3 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -95,6 +95,7 @@ example: `["production", "env2"]`
 
 |=====
 
+
 [[ecs-agent]]
 === Agent Fields
 
@@ -221,6 +222,7 @@ example: `6.0.0-rc2`
 
 |=====
 
+
 [[ecs-as]]
 === Autonomous System Fields
 
@@ -295,10 +297,6 @@ The `as` fields are expected to be nested at:
 
 
 Note also that the `as` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-client]]
 === Client Fields
 
@@ -530,9 +528,6 @@ example: `co.uk`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-client-nestings]]
 [discrete]
 ===== Field sets that can be nested under Client
@@ -567,6 +562,7 @@ example: `co.uk`
 
 |=====
 
+
 [[ecs-cloud]]
 === Cloud Fields
 
@@ -769,6 +765,58 @@ example: `lambda`
 
 |=====
 
+[discrete]
+==== Field Reuse
+
+The `cloud` fields are expected to be nested at:
+
+
+* `cloud.origin`
+
+* `cloud.target`
+
+
+Note also that the `cloud` fields may be used directly at the root of the events.
+
+[[ecs-cloud-nestings]]
+[discrete]
+===== Field sets that can be nested under Cloud
+
+[options="header"]
+|=====
+| Location | Field Set | Description
+
+// ===============================================================
+
+
+| `cloud.origin.*`
+| <<ecs-cloud,cloud>>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.]
+
+Provides the cloud information of the origin entity in case of an incoming request or event.
+
+// ===============================================================
+
+
+| `cloud.target.*`
+| <<ecs-cloud,cloud>>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.]
+
+Provides the cloud information of the target entity in case of an outgoing request or event.
+
+// ===============================================================
+
+
+|=====
+
+
+
+[discrete]
+==== Cloud Field Usage
+
+For usage and examples of the cloud fields, please see the <<ecs-cloud-usage, Cloud Fields Usage and Examples>> section.
+
+include::usage/cloud.asciidoc[]
+
+
 [[ecs-code_signature]]
 === Code Signature Fields
 
@@ -955,10 +1003,6 @@ The `code_signature` fields are expected to be nested at:
 
 
 Note also that the `code_signature` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-container]]
 === Container Fields
 
@@ -1076,6 +1120,7 @@ example: `docker`
 
 |=====
 
+
 [[ecs-data_stream]]
 === Data Stream Fields
 
@@ -1164,6 +1209,7 @@ example: `logs`
 
 |=====
 
+
 [[ecs-destination]]
 === Destination Fields
 
@@ -1393,9 +1439,6 @@ example: `co.uk`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-destination-nestings]]
 [discrete]
 ===== Field sets that can be nested under Destination
@@ -1430,6 +1473,7 @@ example: `co.uk`
 
 |=====
 
+
 [[ecs-dll]]
 === DLL Fields
 
@@ -1493,9 +1537,6 @@ example: `C:\Windows\System32\kernel32.dll`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-dll-nestings]]
 [discrete]
 ===== Field sets that can be nested under DLL
@@ -1530,6 +1571,7 @@ example: `C:\Windows\System32\kernel32.dll`
 
 |=====
 
+
 [[ecs-dns]]
 === DNS Fields
 
@@ -1871,6 +1913,7 @@ example: `answer`
 
 |=====
 
+
 [[ecs-ecs]]
 === ECS Fields
 
@@ -1905,6 +1948,7 @@ example: `1.0.0`
 
 |=====
 
+
 [[ecs-elf]]
 === ELF Header Fields
 
@@ -2418,10 +2462,6 @@ The `elf` fields are expected to be nested at:
 
 
 Note also that the `elf` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-error]]
 === Error Fields
 
@@ -2526,6 +2566,7 @@ example: `java.lang.NullPointerException`
 
 |=====
 
+
 [[ecs-event]]
 === Event Fields
 
@@ -3070,6 +3111,118 @@ example: `https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38f
 
 |=====
 
+
+[[ecs-faas]]
+=== FaaS Fields
+
+The user fields describe information about the function as a service that is relevant to the event.
+
+beta::[ These fields are in beta and are subject to change.]
+
+[discrete]
+==== FaaS Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-faas-coldstart]]
+<<field-faas-coldstart, faas.coldstart>>
+
+| Boolean value indicating a cold start of a function.
+
+type: boolean
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-faas-execution]]
+<<field-faas-execution, faas.execution>>
+
+| The execution ID of the current function execution.
+
+type: keyword
+
+
+
+example: `af9d5aa4-a685-4c5f-a22b-444f80b3cc28`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-faas-trigger]]
+<<field-faas-trigger, faas.trigger>>
+
+| Details about the function trigger.
+
+type: nested
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-faas-trigger-request-id]]
+<<field-faas-trigger-request-id, faas.trigger.request_id>>
+
+| The ID of the trigger request , message, event, etc.
+
+type: keyword
+
+
+
+example: `123456789`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-faas-trigger-type]]
+<<field-faas-trigger-type, faas.trigger.type>>
+
+| The trigger for the function execution.
+
+Expected values are:
+
+  * http
+
+  * pubsub
+
+  * datasource
+
+  * timer
+
+  * other
+
+type: keyword
+
+
+
+example: `http`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+
 [[ecs-file]]
 === File Fields
 
@@ -3486,9 +3639,6 @@ The `file` fields are expected to be nested at:
 
 Note also that the `file` fields may be used directly at the root of the events.
 
-
-
-
 [[ecs-file-nestings]]
 [discrete]
 ===== Field sets that can be nested under File
@@ -3538,6 +3688,7 @@ These fields contain Linux Executable Linkable Format (ELF) metadata.
 
 |=====
 
+
 [[ecs-geo]]
 === Geo Fields
 
@@ -3762,10 +3913,6 @@ The `geo` fields are expected to be nested at:
 
 
 Note also that the `geo` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-group]]
 === Group Fields
 
@@ -3844,8 +3991,6 @@ The `group` fields are expected to be nested at:
 Note also that the `group` fields may be used directly at the root of the events.
 
 
-
-
 [[ecs-hash]]
 === Hash Fields
 
@@ -3958,16 +4103,8 @@ The `hash` fields are expected to be nested at:
 
 * `process.hash`
 
-* `threat.enrichments.indicator.hash`
-
-* `threat.indicator.hash`
-
 
 Note also that the `hash` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-host]]
 === Host Fields
 
@@ -4269,9 +4406,6 @@ example: `1325`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-host-nestings]]
 [discrete]
 ===== Field sets that can be nested under Host
@@ -4299,6 +4433,7 @@ example: `1325`
 
 |=====
 
+
 [[ecs-http]]
 === HTTP Fields
 
@@ -4543,6 +4678,7 @@ example: `1.1`
 
 |=====
 
+
 [[ecs-interface]]
 === Interface Fields
 
@@ -4619,10 +4755,6 @@ The `interface` fields are expected to be nested at:
 
 
 Note also that the `interface` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-log]]
 === Log Fields
 
@@ -4851,6 +4983,7 @@ example: `Error`
 
 |=====
 
+
 [[ecs-network]]
 === Network Fields
 
@@ -4871,9 +5004,11 @@ The network.* fields should be populated with details about the network activity
 [[field-network-application]]
 <<field-network-application, network.application>>
 
-| A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
+| When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+
+For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
 
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5047,9 +5182,9 @@ example: `24`
 [[field-network-protocol]]
 <<field-network-protocol, network.protocol>>
 
-| L7 Network protocol name. ex. http, lumberjack, transport protocol.
+| In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
 
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5067,7 +5202,7 @@ example: `http`
 
 | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5085,7 +5220,7 @@ example: `tcp`
 
 | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
 
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5102,9 +5237,6 @@ example: `ipv4`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-network-nestings]]
 [discrete]
 ===== Field sets that can be nested under Network
@@ -5132,6 +5264,7 @@ example: `ipv4`
 
 |=====
 
+
 [[ecs-observer]]
 === Observer Fields
 
@@ -5375,9 +5508,6 @@ type: keyword
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-observer-nestings]]
 [discrete]
 ===== Field sets that can be nested under Observer
@@ -5433,6 +5563,7 @@ type: keyword
 
 |=====
 
+
 [[ecs-orchestrator]]
 === Orchestrator Fields
 
@@ -5593,6 +5724,7 @@ example: `kubernetes`
 
 |=====
 
+
 [[ecs-organization]]
 === Organization Fields
 
@@ -5649,6 +5781,7 @@ Multi-fields:
 
 |=====
 
+
 [[ecs-os]]
 === Operating System Fields
 
@@ -5807,10 +5940,6 @@ The `os` fields are expected to be nested at:
 
 
 Note also that the `os` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-package]]
 === Package Fields
 
@@ -6041,6 +6170,7 @@ example: `1.12.9`
 
 |=====
 
+
 [[ecs-pe]]
 === PE Header Fields
 
@@ -6183,16 +6313,8 @@ The `pe` fields are expected to be nested at:
 
 * `process.pe`
 
-* `threat.enrichments.indicator.pe`
-
-* `threat.indicator.pe`
-
 
 Note also that the `pe` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-process]]
 === Process Fields
 
@@ -6404,22 +6526,6 @@ example: `4242`
 
 // ===============================================================
 
-|
-[[field-process-ppid]]
-<<field-process-ppid, process.ppid>>
-
-| Parent process' pid.
-
-type: long
-
-
-
-example: `4241`
-
-| extended
-
-// ===============================================================
-
 |
 [[field-process-start]]
 <<field-process-start, process.start>>
@@ -6543,9 +6649,6 @@ The `process` fields are expected to be nested at:
 
 Note also that the `process` fields may be used directly at the root of the events.
 
-
-
-
 [[ecs-process-nestings]]
 [discrete]
 ===== Field sets that can be nested under Process
@@ -6595,6 +6698,7 @@ These fields contain Linux Executable Linkable Format (ELF) metadata.
 
 |=====
 
+
 [[ecs-registry]]
 === Registry Fields
 
@@ -6744,8 +6848,6 @@ The `registry` fields are expected to be nested at:
 Note also that the `registry` fields may be used directly at the root of the events.
 
 
-
-
 [[ecs-related]]
 === Related Fields
 
@@ -6842,6 +6944,7 @@ Note: this field should contain an array of values.
 
 |=====
 
+
 [[ecs-rule]]
 === Rule Fields
 
@@ -7025,6 +7128,7 @@ example: `1.1`
 
 |=====
 
+
 [[ecs-server]]
 === Server Fields
 
@@ -7256,9 +7360,6 @@ example: `co.uk`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-server-nestings]]
 [discrete]
 ===== Field sets that can be nested under Server
@@ -7293,6 +7394,7 @@ example: `co.uk`
 
 |=====
 
+
 [[ecs-service]]
 === Service Fields
 
@@ -7481,6 +7583,58 @@ example: `3.2.4`
 
 |=====
 
+[discrete]
+==== Field Reuse
+
+The `service` fields are expected to be nested at:
+
+
+* `service.origin`
+
+* `service.target`
+
+
+Note also that the `service` fields may be used directly at the root of the events.
+
+[[ecs-service-nestings]]
+[discrete]
+===== Field sets that can be nested under Service
+
+[options="header"]
+|=====
+| Location | Field Set | Description
+
+// ===============================================================
+
+
+| `service.origin.*`
+| <<ecs-service,service>>| beta:[ Reusing the `service` fields in this location is currently considered beta.]
+
+Describes the origin service in case of an incoming request or event.
+
+// ===============================================================
+
+
+| `service.target.*`
+| <<ecs-service,service>>| beta:[ Reusing the `service` fields in this location is currently considered beta.]
+
+Describes the target service in case of an outgoing request or event.
+
+// ===============================================================
+
+
+|=====
+
+
+
+[discrete]
+==== Service Field Usage
+
+For usage and examples of the service fields, please see the <<ecs-service-usage, Service Fields Usage and Examples>> section.
+
+include::usage/service.asciidoc[]
+
+
 [[ecs-source]]
 === Source Fields
 
@@ -7710,9 +7864,6 @@ example: `co.uk`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-source-nestings]]
 [discrete]
 ===== Field sets that can be nested under Source
@@ -7747,6 +7898,7 @@ example: `co.uk`
 
 |=====
 
+
 [[ecs-threat]]
 === Threat Fields
 
@@ -7774,6 +7926,9 @@ A list of associated indicators objects enriching the event, and the context of
 type: nested
 
 
+Note: this field should contain an array of values.
+
+
 
 
 
@@ -8177,6 +8332,22 @@ example: `filebeat-8.0.0-2021.05.23-000011`
 
 // ===============================================================
 
+|
+[[field-threat-enrichments-matched-occurred]]
+<<field-threat-enrichments-matched-occurred, threat.enrichments.matched.occurred>>
+
+| Indicates when the indicator match was generated
+
+type: date
+
+
+
+example: `2021-10-05 17:00:58.326000+00:00`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-enrichments-matched-type]]
 <<field-threat-enrichments-matched-type, threat.enrichments.matched.type>>
@@ -8902,9 +9073,6 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-threat-nestings]]
 [discrete]
 ===== Field sets that can be nested under Threat
@@ -8940,22 +9108,6 @@ Fields describing a location.
 // ===============================================================
 
 
-| `threat.enrichments.indicator.hash.*`
-| <<ecs-hash,hash>>| beta:[ Reusing the `hash` fields in this location is currently considered beta.]
-
-Hashes, usually file hashes.
-
-// ===============================================================
-
-
-| `threat.enrichments.indicator.pe.*`
-| <<ecs-pe,pe>>| beta:[ Reusing the `pe` fields in this location is currently considered beta.]
-
-These fields contain Windows Portable Executable (PE) metadata.
-
-// ===============================================================
-
-
 | `threat.enrichments.indicator.registry.*`
 | <<ecs-registry,registry>>| beta:[ Reusing the `registry` fields in this location is currently considered beta.]
 
@@ -9001,20 +9153,6 @@ These fields contain x509 certificate metadata.
 // ===============================================================
 
 
-| `threat.indicator.hash.*`
-| <<ecs-hash,hash>>
-| Hashes, usually file hashes.
-
-// ===============================================================
-
-
-| `threat.indicator.pe.*`
-| <<ecs-pe,pe>>
-| These fields contain Windows Portable Executable (PE) metadata.
-
-// ===============================================================
-
-
 | `threat.indicator.registry.*`
 | <<ecs-registry,registry>>
 | Fields related to Windows Registry operations.
@@ -9038,6 +9176,7 @@ These fields contain x509 certificate metadata.
 
 |=====
 
+
 [[ecs-tls]]
 === TLS Fields
 
@@ -9530,9 +9669,6 @@ example: `tls`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-tls-nestings]]
 [discrete]
 ===== Field sets that can be nested under TLS
@@ -9560,6 +9696,7 @@ example: `tls`
 
 |=====
 
+
 [[ecs-tracing]]
 === Tracing Fields
 
@@ -9632,6 +9769,7 @@ example: `00f067aa0ba902b7`
 
 |=====
 
+
 [[ecs-url]]
 === URL Fields
 
@@ -9926,8 +10064,6 @@ The `url` fields are expected to be nested at:
 Note also that the `url` fields may be used directly at the root of the events.
 
 
-
-
 [[ecs-user]]
 === User Fields
 
@@ -10100,9 +10236,6 @@ The `user` fields are expected to be nested at:
 
 Note also that the `user` fields may be used directly at the root of the events.
 
-
-
-
 [[ecs-user-nestings]]
 [discrete]
 ===== Field sets that can be nested under User
@@ -10153,6 +10286,7 @@ For usage and examples of the user fields, please see the <<ecs-user-usage, User
 
 include::usage/user.asciidoc[]
 
+
 [[ecs-user_agent]]
 === User agent Fields
 
@@ -10244,9 +10378,6 @@ example: `12.0`
 [discrete]
 ==== Field Reuse
 
-
-
-
 [[ecs-user_agent-nestings]]
 [discrete]
 ===== Field sets that can be nested under User agent
@@ -10267,6 +10398,7 @@ example: `12.0`
 
 |=====
 
+
 [[ecs-vlan]]
 === VLAN Fields
 
@@ -10337,10 +10469,6 @@ The `vlan` fields are expected to be nested at:
 
 
 Note also that the `vlan` fields are not expected to be used directly at the root of the events.
-
-
-
-
 [[ecs-vulnerability]]
 === Vulnerability Fields
 
@@ -10584,6 +10712,7 @@ example: `Critical`
 
 |=====
 
+
 [[ecs-x509]]
 === x509 Certificate Fields
 
@@ -11045,7 +11174,3 @@ The `x509` fields are expected to be nested at:
 
 
 Note also that the `x509` fields are not expected to be used directly at the root of the events.
-
-
-
-
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 883b3b1ec0..530a846121 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -1,4 +1,3 @@
-
 [[ecs-category-field-values-reference]]
 == {ecs} Categorization Fields
 
@@ -561,4 +560,4 @@ Indicates that this event describes only an attempt for which the result is unkn
 
 
 
-include::field-values-usage.asciidoc[]
\ No newline at end of file
+include::field-values-usage.asciidoc[]
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
index cede1d4622..1a3fc58aee 100644
--- a/docs/fields.asciidoc
+++ b/docs/fields.asciidoc
@@ -1,8 +1,7 @@
-
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 8.0.0-dev.
+This is the documentation of ECS version 8.1.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
@@ -11,7 +10,7 @@ at the root of the event.
 All other field sets are defined as objects in {es}, under which
 all fields are defined.
 
-For a single page representation of all fields, please see the 
+For a single page representation of all fields, please see the
 {ecs_github_repo_link}/generated/csv/fields.csv[generated CSV of fields].
 
 [float]
@@ -51,6 +50,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-event,Event>> | Fields breaking down the event details.
 
+| <<ecs-faas,FaaS>> | Fields describing functions as a service.
+
 | <<ecs-file,File>> | Fields describing files.
 
 | <<ecs-geo,Geo>> | Fields describing a location.
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 074905b8a7..aa31244406 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -10,7 +10,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 8.0.0-dev.
+This is the documentation of ECS version 8.1.0-dev.
 
 [float]
 === What is ECS?
@@ -66,4 +66,4 @@ include::using.asciidoc[]
 include::fields.asciidoc[]
 include::field-values.asciidoc[]
 include::migrating.asciidoc[]
-include::additional.asciidoc[]
\ No newline at end of file
+include::additional.asciidoc[]
diff --git a/docs/usage/README.md b/docs/usage/README.md
index a5077832f6..14d3645f0e 100644
--- a/docs/usage/README.md
+++ b/docs/usage/README.md
@@ -7,7 +7,7 @@ ECS fields can benefit from additional context and examples which describe their
 1. Create an AsciiDoc formatted file with the `.asciidoc` file extension.
 2. Save the file in this directory (`docs/usage`), naming it after its associated field set (e.g. a usage document for the fields defined in `schemas/base.yml` fields would be named `docs/usage/base.asciidoc`).
 3. The anchor at the top of the file (e.g. `[[ecs-base-usage]]`) must use the following convention for valid link references in the generated docs: `[[ecs-<<fieldset-name>>-usage]]`.
-4. The title immediately following the anchor (e.g. `==== Base Fields Usage and Examples`) must use the following convention for formatting and naming Usage and Examples in the generated docs: 
+4. The title immediately following the anchor (e.g. `==== Base Fields Usage and Examples`) must use the following convention for formatting and naming Usage and Examples in the generated docs:
 `==== <<fieldset-name>> Usage and Examples`.
 5. Run `make`. The asciidoc generator will generate the ECS field reference, including the present usage docs.
 
diff --git a/docs/usage/cloud.asciidoc b/docs/usage/cloud.asciidoc
new file mode 100644
index 0000000000..e0432c3afc
--- /dev/null
+++ b/docs/usage/cloud.asciidoc
@@ -0,0 +1,78 @@
+[[ecs-cloud-usage]]
+==== Cloud Fields Usage and Examples
+
+Here are the subjects covered in this page.
+
+* <<ecs-cloud-usage-field-reuse>>
+** <<ecs-cloud-usage-cloud-at-root>>
+** <<ecs-cloud-usage-origin-target>>
+
+[discrete]
+[[ecs-cloud-usage-field-reuse]]
+===== Field reuse
+
+The cloud fields can be used to 
+* <<ecs-cloud-usage-cloud-at-root,describe the cloud resource an event comes from>>
+* or to <<ecs-cloud-usage-origin-target,describe the context of an external cloud resource>> that has a direct invocation relationship to the observed service or resource
+
+[discrete]
+[[ecs-cloud-usage-cloud-at-root]]
+====== Cloud fields at the Root of an Event
+
+Use the cloud fields at the root of an event to describe the cloud resource the event primarily relates to. 
+An example for this use case is a log entry being recorded for a service that is deployed in a cloud environment:
+
+[source,json]
+-----------
+{
+  "cloud": {
+    "provider": "aws", 
+    "region": "us-east-1",
+    "service": { "name": "ec2" }
+  }
+}
+-----------
+
+[discrete]
+[[ecs-cloud-usage-origin-target]]
+====== Describing external cloud resources in an invocation relationship
+
+Managed cloud services can be in an invocation relationship to the observed service (i.e. service for which the corresponding event is captured).
+For instance, an observed service running on AWS Lambda can be invoked through an AWS API Gateway. 
+Another example is an observed service that invokes an external cloud service (e.g. AWS Simple Email Service). 
+In the context of an invocation relationship, cloud fields can be nested under `cloud.origin.*` and `cloud.target.*`, respectively, 
+to capture the cloud context on origin or target cloud services from the perspective of an observed service. 
+This concept is similar to <<ecs-service-usage-origin-target,nesting of service fields>> under `service.origin.*` and `service.target.*`.
+
+Let's consider an exemplary event that represents an inbound AWS Lambda invocation coming from an AWS API Gateway. Use the following `cloud.origin.*` 
+nesting to describe the API Gateway service from the perspective of the AWS Lambda service:
+
+[source,json]
+-----------
+{
+  "service": { <1> 
+    "name": "MyLambdaFunction",
+    "version": "1.0.0",
+    "origin": { <2>
+      "name": "MyGateway",
+      "version" "2.0",
+    }
+  },
+  "cloud": { <3>
+    "provider": "aws", 
+    "region": "us-east-1",
+    "service": { "name": "lambda" },
+    "origin": { <4>
+      "provider": "aws", 
+      "region": "eu-west-1",
+      "service": { "name": "apigateway" }
+    }
+  }
+}
+-----------
+<1> Describes the observed AWS Lambda function 
+<2> Describes the API Gateway service where the inbound request comes from
+<3> Describes the cloud context of the observed AWS Lambda function 
+<4> Describes the cloud context of the API Gateway service where the inbound request comes from
+
+Note that `cloud.origin.*` and `cloud.target.*` fields should only be used on events that represent an invocation relationship.
\ No newline at end of file
diff --git a/docs/usage/service.asciidoc b/docs/usage/service.asciidoc
new file mode 100644
index 0000000000..c6e217580b
--- /dev/null
+++ b/docs/usage/service.asciidoc
@@ -0,0 +1,92 @@
+[[ecs-service-usage]]
+==== Service Fields Usage and Examples
+
+Here are the subjects covered in this page.
+
+* <<ecs-service-usage-field-reuse>>
+** <<ecs-service-usage-service-at-root>>
+** <<ecs-service-usage-origin-target>>
+
+[discrete]
+[[ecs-service-usage-field-reuse]]
+===== Field reuse
+
+The service fields can be used to 
+* <<ecs-service-usage-service-at-root,describe the service for or from which the data was collected>> (i.e. observed service)
+* or to <<ecs-service-usage-origin-target,describe external services that have a direct invocation relationship>> to the observed service
+
+[discrete]
+[[ecs-service-usage-service-at-root]]
+====== Service fields at the Root of an Event
+
+Use the service fields at the root of an event to describe the service the event primarily relates to. 
+An example for this use case is a log entry being recorded for a particular service or appplication (e.g. `MyService`):
+
+[source,json]
+-----------
+{
+  "service": { <1>
+    "id": "d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6", 
+    "name": "MyService",
+    "version": "1.0.0"
+  }, 
+  ...
+}
+-----------
+<1> Describes the service for which the log entry is being captured
+
+[discrete]
+[[ecs-service-usage-origin-target]]
+====== Describing external services in an invocation relationship
+
+Multiple services can be in an invocation relationship.
+Where it is possible to apply https://www.elastic.co/guide/en/apm/guide/current/apm-distributed-tracing.html[distributed tracing] on all the involved services
+describe the individual services <<ecs-service-usage-service-at-root,using root-level service fields>>
+and use the <<ecs-related,tracing fields>> to represent the invocation relationship.
+
+There are situations when distributed tracing cannot be applied on some external services that are in an invocation relationship to an observed service.
+Let's consider the example of a service `MyService` being deployed on a cloud provider with an upstream API gateway that passes through requests to 
+`MyService` (with additional context information about the API gateway itself).
+To describe the API gateway as a service from the perspective of `MyService` one can self-nest the service fields under `service.origin`:
+
+[source,json]
+-----------
+{
+  "service": { <1>
+    "id": "d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6", 
+    "name": "MyService",
+    "version": "1.0.0",
+    "origin": { <2>
+      "id": "api-gateway-46372994637e2b4567", 
+      "name": "SomeGateway",
+      "version" "2.5.1",
+    }
+  }, 
+  ...
+}
+-----------
+<1> Describes the observed service that receives the inbound request from an external service
+<2> Describes the origin external service of the inbound request
+
+Similar to the usage of `service.origin` fields the service fields can be self-nested under `service.target.*` to describe an external target service for an outbound request:
+
+[source,json]
+-----------
+{
+  "service": { <1>
+    "id": "d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6", 
+    "name": "MyService",
+    "version": "1.0.0",
+    "target": { <2>
+      "id": "sms-service-0xe6c4272dbeAf0134", 
+      "name": "ManagedSMSService",
+      "version": "1.9.0",
+    }
+  }, 
+  ...
+}
+-----------
+<1> Describes the observed service that emits the outbound request to an external service
+<2> Describes the target external service of the outbound request
+
+Note that `service.origin.*` and `service.target.*` fields should only be used on events that represent an invocation relationship.
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index b37b9207d3..dc812b0d61 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.0.0-dev+exp.
+# based on ECS version 8.1.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
@@ -63,6 +63,7 @@
       not change if data is sent through queuing systems like Kafka, Redis, or processing
       systems such as Logstash or APM Server.'
     type: group
+    default_field: true
     fields:
     - name: build.original
       level: core
@@ -127,6 +128,7 @@
       behalf of a single administrative entity or domain that presents a common, clearly
       defined routing policy to the internet.
     type: group
+    default_field: true
     fields:
     - name: number
       level: extended
@@ -144,6 +146,56 @@
         default_field: false
       description: Organization name.
       example: Google LLC
+  - name: cgroup
+    title: Common cgroup metrics
+    group: 2
+    description: Fields related to control group (cgroup) metrics. Due to controller
+      changes between V1 and V2, many same or similar metrics will often appear under
+      different controller names. These fields are common to both cgroup versions.
+    type: group
+    default_field: true
+    fields:
+    - name: cpu.periods
+      level: extended
+      type: long
+      description: Number of period intervals that have elapsed.
+      example: 454839343
+      default_field: false
+    - name: cpu.throttled.us
+      level: extended
+      type: long
+      description: Microseconds of CPU throttled time.
+      example: 15000
+      default_field: false
+    - name: cpu.usage
+      level: extended
+      type: scaled_float
+      description: CPU usage, normalized by the CPU count.
+      scaling_factor: 1000
+      default_field: false
+    - name: memory.limit
+      level: extended
+      type: long
+      description: Memory limit within the cgroup.
+      example: 256
+      default_field: false
+    - name: memory.swap.usage
+      level: extended
+      type: long
+      description: The amount of cgroup memory in swap.
+      example: 5600
+      default_field: false
+    - name: memory.usage
+      level: extended
+      type: long
+      description: Memory usage in bytes
+      example: 25600
+      default_field: false
+    - name: version
+      level: extended
+      type: long
+      description: The cgroup version linked to the metrics
+      default_field: false
   - name: client
     title: Client
     group: 2
@@ -163,6 +215,7 @@
       in that category, you should still ensure that source and destination are filled
       appropriately.'
     type: group
+    default_field: true
     fields:
     - name: address
       level: extended
@@ -436,8 +489,19 @@
       from its host, the cloud info contains the data about this machine. If Metricbeat
       runs on a remote machine outside the cloud and fetches data from a service running
       in the cloud, the field contains cloud data from the machine the service is
-      running on.'
+      running on.
+
+      The cloud fields may be self-nested under cloud.origin.* and cloud.target.*  to
+      describe origin or target service''s cloud information in the context of  incoming
+      or outgoing requests, respectively. However, the fieldsets  cloud.origin.* and
+      cloud.target.* must not be confused with the root cloud  fieldset that is used
+      to describe the cloud context of the actual service  under observation. The
+      fieldset cloud.origin.* may only be used in the  context of incoming requests
+      or events to provide the originating service''s  cloud information. The fieldset
+      cloud.target.* may only be used in the  context of outgoing requests or events
+      to describe the target service''s  cloud information.'
     type: group
+    default_field: true
     fields:
     - name: account.id
       level: extended
@@ -481,6 +545,97 @@
       ignore_above: 1024
       description: Machine type of the host machine.
       example: t2.medium
+    - name: origin.account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      default_field: false
+    - name: origin.account.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      default_field: false
+    - name: origin.availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      default_field: false
+    - name: origin.instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      default_field: false
+    - name: origin.instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+      default_field: false
+    - name: origin.machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+      default_field: false
+    - name: origin.project.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      default_field: false
+    - name: origin.project.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      default_field: false
+    - name: origin.provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      default_field: false
+    - name: origin.region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      default_field: false
+    - name: origin.service.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      default_field: false
     - name: project.id
       level: extended
       type: keyword
@@ -523,11 +678,103 @@
         Examples: app engine, app service, cloud run, fargate, lambda.'
       example: lambda
       default_field: false
+    - name: target.account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      default_field: false
+    - name: target.account.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      default_field: false
+    - name: target.availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      default_field: false
+    - name: target.instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      default_field: false
+    - name: target.instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+      default_field: false
+    - name: target.machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+      default_field: false
+    - name: target.project.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      default_field: false
+    - name: target.project.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      default_field: false
+    - name: target.provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      default_field: false
+    - name: target.region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      default_field: false
+    - name: target.service.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      default_field: false
   - name: code_signature
     title: Code Signature
     group: 2
     description: These fields contain information about binary code signatures.
     type: group
+    default_field: true
     fields:
     - name: digest_algorithm
       level: extended
@@ -615,6 +862,7 @@
 
       These fields help correlate data based containers from any runtime.'
     type: group
+    default_field: true
     fields:
     - name: cpu.usage
       level: extended
@@ -703,6 +951,7 @@
       names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character),
       `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
     type: group
+    default_field: true
     fields:
     - name: dataset
       level: extended
@@ -750,6 +999,7 @@
       transaction. If the event also contains identification of the client and server
       roles, then the client and server fields should also be populated.'
     type: group
+    default_field: true
     fields:
     - name: address
       level: extended
@@ -1029,6 +1279,7 @@
 
       * Dynamic library (`.dylib`) commonly used on macOS'
     type: group
+    default_field: true
     fields:
     - name: code_signature.digest_algorithm
       level: extended
@@ -1427,6 +1678,7 @@
       query details as well as all of the answers that were provided for this query
       (`dns.type:answer`).'
     type: group
+    default_field: true
     fields:
     - name: answers
       level: extended
@@ -1591,6 +1843,7 @@
     group: 2
     description: Meta-information specific to ECS.
     type: group
+    default_field: true
     fields:
     - name: version
       level: core
@@ -1609,6 +1862,7 @@
     group: 2
     description: These fields contain Linux Executable Linkable Format (ELF) metadata.
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: extended
@@ -1798,6 +2052,7 @@
       protocols that send and receive email messages such as SMTP are outside the
       scope of the `email.*` fields.'
     type: group
+    default_field: true
     fields:
     - name: attachments
       level: extended
@@ -1967,6 +2222,7 @@
       Use them for errors that happen while fetching events or in cases where the
       event itself contains an error.'
     type: group
+    default_field: true
     fields:
     - name: code
       level: core
@@ -2012,6 +2268,7 @@
       temperature. See the `event.kind` definition in this section for additional
       details about metric and state events.'
     type: group
+    default_field: true
     fields:
     - name: action
       level: core
@@ -2323,6 +2580,46 @@
         are a common use case for this field.'
       example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
       default_field: false
+  - name: faas
+    title: FaaS
+    group: 2
+    description: The user fields describe information about the function as a service
+      that is relevant to the event.
+    type: group
+    default_field: true
+    fields:
+    - name: coldstart
+      level: extended
+      type: boolean
+      description: Boolean value indicating a cold start of a function.
+      default_field: false
+    - name: execution
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The execution ID of the current function execution.
+      example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+      default_field: false
+    - name: trigger
+      level: extended
+      type: nested
+      description: Details about the function trigger.
+      default_field: false
+    - name: trigger.request_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The ID of the trigger request , message, event, etc.
+      example: 123456789
+      default_field: false
+    - name: trigger.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The trigger for the function execution.\nExpected values are:\n\
+        \  * http\n  * pubsub\n  * datasource\n  * timer\n  * other"
+      example: http
+      default_field: false
   - name: file
     title: File
     group: 2
@@ -2334,6 +2631,7 @@
       services). File fields provide details about the affected file associated with
       the event or metric.'
     type: group
+    default_field: true
     fields:
     - name: accessed
       level: extended
@@ -3231,6 +3529,7 @@
       This geolocation information can be derived from techniques such as Geo IP,
       or be user-supplied.'
     type: group
+    default_field: true
     fields:
     - name: city_name
       level: core
@@ -3315,6 +3614,7 @@
     description: The group fields are meant to represent groups that are relevant
       to the event.
     type: group
+    default_field: true
     fields:
     - name: domain
       level: extended
@@ -3347,6 +3647,7 @@
       a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
       placed in the fieldsets to which they relate (tls and pe, respectively).'
     type: group
+    default_field: true
     fields:
     - name: md5
       level: extended
@@ -3383,6 +3684,7 @@
       event happened, or from which the measurement was taken. Host types include
       hardware, virtual machines, Docker containers, and Kubernetes nodes.'
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: core
@@ -3645,6 +3947,7 @@
     description: Fields related to HTTP activity. Use the `url` field set to store
       the url of the request.
     type: group
+    default_field: true
     fields:
     - name: request.body.bytes
       level: extended
@@ -3759,6 +4062,7 @@
       a single observer interface (e.g. network sensor on a span port) only the observer.ingress
       information should be populated.
     type: group
+    default_field: true
     fields:
     - name: alias
       level: extended
@@ -3795,6 +4099,7 @@
       The details specific to your event source are typically not logged under `log.*`,
       but rather in `event.*` or in other ECS fields.'
     type: group
+    default_field: true
     fields:
     - name: file.path
       level: extended
@@ -3906,19 +4211,21 @@
       The network.* fields should be populated with details about the network activity
       associated with an event.'
     type: group
+    default_field: true
     fields:
     - name: application
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A name given to an application level protocol. This can be arbitrarily
-        assigned for things like microservices, but also apply to things like skype,
-        icq, facebook, twitter. This would be used in situations where the vendor
-        or service can be decoded such as from the source/dest IP owners, ports, or
-        wire format.
+      description: 'When a specific application or service is identified from network
+        connection details (source/dest IPs, ports, certificates, or wire format),
+        this field captures the application''s or service''s name.
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        For example, the original event identifies the network connection being from
+        a specific web service in a `https` network connection, like `facebook` or
+        `twitter`.
+
+        The field value must be normalized to lowercase for querying.'
       example: aim
     - name: bytes
       level: core
@@ -4010,10 +4317,10 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+      description: 'In the OSI Model this would be the Application Layer protocol.
+        For example, `http`, `dns`, or `ssh`.
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: http
     - name: transport
       level: core
@@ -4022,8 +4329,7 @@
       description: 'Same as network.iana_number, but instead using the Keyword name
         of the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: tcp
     - name: type
       level: core
@@ -4032,8 +4338,7 @@
       description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
         ipsec, pim, etc
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: ipv4
     - name: vlan.id
       level: extended
@@ -4065,6 +4370,7 @@
       or metric. Message queues and ETL components used in processing events or metrics
       are not considered observers in ECS.'
     type: group
+    default_field: true
     fields:
     - name: egress
       level: extended
@@ -4378,6 +4684,7 @@
     description: Fields that describe the resources which container orchestrators
       manage or act upon.
     type: group
+    default_field: true
     fields:
     - name: api_version
       level: extended
@@ -4449,6 +4756,7 @@
       These fields help you arrange or filter data stored in an index by one or multiple
       organizations.'
     type: group
+    default_field: true
     fields:
     - name: id
       level: extended
@@ -4469,6 +4777,7 @@
     group: 2
     description: The OS fields contain information about the operating system.
     type: group
+    default_field: true
     fields:
     - name: family
       level: extended
@@ -4536,6 +4845,7 @@
       It contains general information about a package, such as name, version or size.
       It also contains installation details, such as time or location.
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: extended
@@ -4632,6 +4942,7 @@
     group: 2
     description: These fields contain Windows Portable Executable (PE) metadata.
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: extended
@@ -4905,6 +5216,7 @@
       from a log message.  The `process.pid` often stays in the metric itself and
       is copied to the global field for correlation.'
     type: group
+    default_field: true
     fields:
     - name: args
       level: extended
@@ -5919,13 +6231,6 @@
       description: Process id.
       example: 4242
       default_field: false
-    - name: parent.ppid
-      level: extended
-      type: long
-      format: string
-      description: Parent process' pid.
-      example: 4241
-      default_field: false
     - name: parent.start
       level: extended
       type: date
@@ -6248,2834 +6553,2116 @@
       format: string
       description: Process id.
       example: 4242
-    - name: ppid
-      level: extended
-      type: long
-      format: string
-      description: Parent process' pid.
-      example: 4241
     - name: start
       level: extended
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
-    - name: target.args
+    - name: thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+    - name: thread.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+      description: Thread name.
+      example: thread-0
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: 'Process title.
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: target.args_count
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+    - name: uptime
       level: extended
       type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: target.code_signature.digest_algorithm
+      description: Seconds the process has been up.
+      example: 1325
+    - name: working_directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: target.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: target.code_signature.signing_id
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: The working directory of the process.
+      example: /home/alice
+  - name: registry
+    title: Registry
+    group: 2
+    description: Fields related to Windows Registry operations.
+    type: group
+    default_field: true
+    fields:
+    - name: data.bytes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
+      description: 'Original bytes written with base64 encoding.
 
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
       default_field: false
-    - name: target.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
+    - name: data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
 
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
       default_field: false
-    - name: target.code_signature.subject_name
+    - name: data.type
       level: core
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
+      description: Standard registry type for encoding contents
+      example: REG_SZ
       default_field: false
-    - name: target.code_signature.team_id
-      level: extended
+    - name: hive
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: target.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: target.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: target.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+      description: Abbreviated name for the hive.
+      example: HKLM
       default_field: false
-    - name: target.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+    - name: key
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
-    - name: target.elf.architecture
-      level: extended
+    - name: path
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
       default_field: false
-    - name: target.elf.byte_order
-      level: extended
+    - name: value
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Name of the value written.
+      example: Debugger
       default_field: false
-    - name: target.elf.cpu_type
+  - name: related
+    title: Related
+    group: 2
+    description: 'This field set is meant to facilitate pivoting around a piece of
+      data.
+
+      Some pieces of information can be seen in many places in an ECS event. To facilitate
+      searching for them, store an array of all seen values to their corresponding
+      field in `related.`.
+
+      A concrete example is IP addresses, which can be under host, observer, source,
+      destination, client, server, and network.forwarded_ip. If you append all IPs
+      to `related.ip`, you can then search for a given IP trivially, no matter where
+      it appeared, by querying `related.ip:192.0.2.15`.'
+    type: group
+    default_field: true
+    fields:
+    - name: hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
+      description: All the hashes seen on your event. Populating this field, then
+        using it to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).
       default_field: false
-    - name: target.elf.creation_date
+    - name: hosts
       level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
       default_field: false
-    - name: target.elf.exports
+    - name: ip
       level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: target.elf.header.abi_version
+      type: ip
+      description: All of the IPs seen on your event.
+    - name: user
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: All the user names or other user identifiers seen on the event.
       default_field: false
-    - name: target.elf.header.class
+  - name: rule
+    title: Rule
+    group: 2
+    description: 'Rule fields are used to capture the specifics of any observer or
+      agent rules that generate alerts or other notable events.
+
+      Examples of data sources that would populate the rule fields include: network
+      admission control platforms, network or host IDS/IPS, network firewalls, web
+      application firewalls, url filters, endpoint detection and response (EDR) systems,
+      etc.'
+    type: group
+    default_field: true
+    fields:
+    - name: author
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: Name, organization, or pseudonym of the author or authors who created
+        the rule used to generate this event.
+      example: '["Star-Lord"]'
       default_field: false
-    - name: target.elf.header.data
+    - name: category
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: target.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      description: A categorization value keyword used by the entity using the rule
+        for detection of this event.
+      example: Attempted Information Leak
       default_field: false
-    - name: target.elf.header.object_version
+    - name: description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: The description of the rule generating the event.
+      example: Block requests to public DNS over HTTPS / TLS protocols
       default_field: false
-    - name: target.elf.header.os_abi
+    - name: id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: A rule ID that is unique within the scope of an agent, observer,
+        or other entity using the rule for detection of this event.
+      example: 101
       default_field: false
-    - name: target.elf.header.type
+    - name: license
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: Name of the license under which the rule used to generate this
+        event is made available.
+      example: Apache 2.0
       default_field: false
-    - name: target.elf.header.version
+    - name: name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: target.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: target.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: target.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: target.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      description: The name of the rule or signature generating the event.
+      example: BLOCK_DNS_over_TLS
       default_field: false
-    - name: target.elf.sections.flags
+    - name: reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: 'Reference URL to additional information about the rule used to
+        generate this event.
+
+        The URL can point to the vendor''s documentation about the rule. If that''s
+        not available, it can also be a link to a more general page describing this
+        type of alert.'
+      example: https://en.wikipedia.org/wiki/DNS_over_TLS
       default_field: false
-    - name: target.elf.sections.name
+    - name: ruleset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: Name of the ruleset, policy, group, or parent category in which
+        the rule used to generate this event is a member.
+      example: Standard_Protocol_Filters
       default_field: false
-    - name: target.elf.sections.physical_offset
+    - name: uuid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: target.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
+      description: A rule ID that is unique within the scope of a set or group of
+        agents, observers, or other entities using the rule for detection of this
+        event.
+      example: 1100110011
       default_field: false
-    - name: target.elf.sections.type
+    - name: version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: target.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
+      description: The version / revision of the rule being used for analysis.
+      example: 1.1
       default_field: false
-    - name: target.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: target.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
+  - name: server
+    title: Server
+    group: 2
+    description: 'A Server is defined as the responder in a network connection for
+      events regarding sessions, connections, or bidirectional flow records.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: target.elf.segments.sections
+      For TCP events, the server is the receiver of the initial SYN packet(s) of the
+      TCP connection. For other protocols, the server is generally the responder in
+      the network transaction. Some systems actually use the term "responder" to refer
+      the server in TCP connections. The server fields describe details about the
+      system acting as the server in the network event. Server fields are usually
+      populated in conjunction with client fields. Server fields are generally not
+      populated for packet-level events.
+
+      Client / server representations can add semantic context to an exchange, which
+      is helpful to visualize the data in certain situations. If your context falls
+      in that category, you should still ensure that source and destination are filled
+      appropriately.'
+    type: group
+    default_field: true
+    fields:
+    - name: address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: target.elf.segments.type
+      description: 'Some event server addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: target.elf.shared_libraries
-      level: extended
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the server to the client.
+      example: 184
+    - name: domain
+      level: core
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: target.elf.telfhash
-      level: extended
+      description: Server domain.
+    - name: geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: target.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
+      description: City name.
+      example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: target.entity_id
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
 
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: target.executable
-      level: extended
+    - name: geo.region_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: target.exit_code
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the server (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the server.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: nat.port
       level: extended
       type: long
-      description: 'The exit code of the process, if this is a termination event.
+      format: string
+      description: 'Translated port of destination based NAT sessions (e.g. internet
+        to private DMZ)
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: target.hash.md5
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the server to the client.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the server.
+    - name: registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: target.hash.sha1
+      description: 'The highest registered server domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: target.hash.sha256
+    - name: top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: target.hash.sha512
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: target.hash.ssdeep
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: target.name
+      description: User email address.
+    - name: user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: target.parent.args
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+      description: 'Name of the directory the group is a member of.
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: target.parent.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: target.parent.code_signature.digest_algorithm
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: target.parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: target.parent.code_signature.signing_id
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: target.parent.code_signature.status
+      description: Name of the group.
+    - name: user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: target.parent.code_signature.subject_name
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: target.parent.code_signature.team_id
-      level: extended
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: target.parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: target.parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: target.parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: target.parent.command_line
-      level: extended
-      type: wildcard
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: target.parent.elf.architecture
+        default_field: false
+      description: Short name or login of the user.
+      example: a.einstein
+    - name: user.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: target.parent.elf.byte_order
+  - name: service
+    title: Service
+    group: 2
+    description: 'The service fields describe the service for or from which the data
+      was collected.
+
+      These fields help you find and correlate logs for a specific service and version.'
+    footnote: The service fields may be self-nested under service.origin.* and service.target.*  to
+      describe origin or target services in the context of incoming or outgoing requests,  respectively.
+      However, the fieldsets service.origin.* and service.target.* must not be confused
+      with  the root service fieldset that is used to describe the actual service
+      under observation. The fieldset service.origin.* may only be used in the context
+      of incoming requests or  events to describe the originating service of the request.
+      The fieldset service.target.*  may only be used in the context of outgoing requests
+      or events to describe the target  service of the request.
+    type: group
+    default_field: true
+    fields:
+    - name: address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
       default_field: false
-    - name: target.parent.elf.cpu_type
+    - name: environment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: target.parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: target.parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
       default_field: false
-    - name: target.parent.elf.header.abi_version
+    - name: ephemeral_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: target.parent.elf.header.class
-      level: extended
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+    - name: id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: target.parent.elf.header.data
-      level: extended
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+    - name: name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: target.parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: target.parent.elf.header.object_version
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+    - name: node.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: target.parent.elf.header.os_abi
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+    - name: origin.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
       default_field: false
-    - name: target.parent.elf.header.type
+    - name: origin.environment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
       default_field: false
-    - name: target.parent.elf.header.version
+    - name: origin.ephemeral_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: target.parent.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: target.parent.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
+      description: 'Ephemeral identifier of this service (if one exists).
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: target.parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: target.parent.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
       default_field: false
-    - name: target.parent.elf.sections.flags
-      level: extended
+    - name: origin.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
       default_field: false
-    - name: target.parent.elf.sections.name
-      level: extended
+    - name: origin.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
       default_field: false
-    - name: target.parent.elf.sections.physical_offset
+    - name: origin.node.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: target.parent.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: target.parent.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: target.parent.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: target.parent.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: target.parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
+      description: 'Name of a service node.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
       default_field: false
-    - name: target.parent.elf.segments.sections
-      level: extended
+    - name: origin.state
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: Current state of the service.
       default_field: false
-    - name: target.parent.elf.segments.type
-      level: extended
+    - name: origin.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
       default_field: false
-    - name: target.parent.elf.shared_libraries
-      level: extended
+    - name: origin.version
+      level: core
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
       default_field: false
-    - name: target.parent.elf.telfhash
-      level: extended
+    - name: state
+      level: core
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: target.parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: target.parent.entity_id
+      description: Current state of the service.
+    - name: target.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+      description: 'Address where data about this service was collected from.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
       default_field: false
-    - name: target.parent.executable
+    - name: target.environment
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: target.parent.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
+      description: 'Identifies the environment where the service is running.
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: target.parent.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: target.parent.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
       default_field: false
-    - name: target.parent.hash.sha256
+    - name: target.ephemeral_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
       default_field: false
-    - name: target.parent.hash.sha512
-      level: extended
+    - name: target.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
       default_field: false
-    - name: target.parent.hash.ssdeep
-      level: extended
+    - name: target.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
       default_field: false
-    - name: target.parent.name
+    - name: target.node.name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
+      description: 'Name of a service node.
 
-        Sometimes called program name or similar.'
-      example: ssh
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
       default_field: false
-    - name: target.parent.pe.architecture
-      level: extended
+    - name: target.state
+      level: core
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: Current state of the service.
       default_field: false
-    - name: target.parent.pe.authentihash
-      level: extended
+    - name: target.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
       default_field: false
-    - name: target.parent.pe.company
-      level: extended
+    - name: target.version
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: target.parent.pe.compile_timestamp
-      level: extended
-      type: date
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
       default_field: false
-    - name: target.parent.pe.compiler.name
-      level: extended
+    - name: type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Name of the compiler
-      example: Clang
-      default_field: false
-    - name: target.parent.pe.compiler.version
-      level: extended
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+    - name: version
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Version of the compiler.
-      example: 11.0.0
-      default_field: false
-    - name: target.parent.pe.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: target.parent.pe.debug
-      level: extended
-      type: nested
-      description: 'An array containing an object for each debug entry, if present.
+      description: 'Version of the service the data was collected from.
 
-        The expected fields for this nested object fall under the `debug.` prefix.'
-      default_field: false
-    - name: target.parent.pe.debug.offset
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+  - name: source
+    title: Source
+    group: 2
+    description: 'Source fields capture details about the sender of a network exchange/packet.
+      These fields are populated from a network event, packet, or other event containing
+      details of a network transaction.
+
+      Source fields are usually populated in conjunction with destination fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
+    type: group
+    default_field: true
+    fields:
+    - name: address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Debug offset information.
-      example: 1296336
-      default_field: false
-    - name: target.parent.pe.debug.size
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
       level: extended
       type: long
-      format: bytes
-      description: Size of the debug information.
-      example: 816
-      default_field: false
-    - name: target.parent.pe.debug.timestamp
-      level: extended
-      type: date
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: target.parent.pe.debug.type
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
-      default_field: false
-    - name: target.parent.pe.description
-      level: extended
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+    - name: domain
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: target.parent.pe.entry_point
-      level: extended
+      description: Source domain.
+    - name: geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
-      default_field: false
-    - name: target.parent.pe.exports
-      level: extended
+      description: City name.
+      example: Montreal
+    - name: geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: target.parent.pe.file_version
-      level: extended
+    - name: geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: target.parent.pe.icon.hash.dhash
-      level: extended
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
-      default_field: false
-    - name: target.parent.pe.imphash
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: target.parent.pe.imports
-      level: extended
-      type: flattened
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
-      default_field: false
-    - name: target.parent.pe.machine_type
-      level: extended
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.postal_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: target.parent.pe.original_file_name
-      level: extended
+    - name: geo.region_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: target.parent.pe.packers
-      level: extended
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
-      default_field: false
-    - name: target.parent.pe.product
-      level: extended
+      description: Region name.
+      example: Quebec
+    - name: geo.timezone
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: target.parent.pe.resources
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+    - name: nat.ip
       level: extended
-      type: nested
-      description: 'An array containing an object for each PE resource, if present.
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
 
-        The expected fields for this nested object fall under the `resources.` prefix.'
-      default_field: false
-    - name: target.parent.pe.resources.chi2
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: nat.port
       level: extended
       type: long
-      description: Chi-square probability distribution.
-      example: -1
-      default_field: false
-    - name: target.parent.pe.resources.entropy
-      level: extended
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
       type: long
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
-      default_field: false
-    - name: target.parent.pe.resources.filetype
+      description: Packets sent from the source to the destination.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+    - name: registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type of the resources section.
-      example: Data
-      default_field: false
-    - name: target.parent.pe.resources.language
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: target.parent.pe.resources.sha256
+    - name: top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-      default_field: false
-    - name: target.parent.pe.resources.type
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
-      default_field: false
-    - name: target.parent.pe.rich_header.hash.md5
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-      default_field: false
-    - name: target.parent.pe.sections
-      level: extended
-      type: nested
-      description: Data about sections of compiled binary PE
-      default_field: false
-    - name: target.parent.pe.sections.chi2
-      level: extended
-      type: long
-      description: Chi-square probability distribution.
-      example: 3027194
-      default_field: false
-    - name: target.parent.pe.sections.entropy
+      description: User email address.
+    - name: user.full_name
       level: extended
-      type: float
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
-      default_field: false
-    - name: target.parent.pe.sections.flags
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Section flags of the file.
-      example: rx
-      default_field: false
-    - name: target.parent.pe.sections.name
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Section names of the file.
-      example: .text, .data
-      default_field: false
-    - name: target.parent.pe.sections.raw_size
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
       level: extended
-      type: long
-      format: bytes
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      default_field: false
-    - name: target.parent.pe.sections.virtual_address
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
       level: extended
-      type: long
-      format: bytes
-      description: Virtual address available to the file.
-      example: 8192
-      default_field: false
-    - name: target.parent.pgid
-      level: extended
-      type: long
-      format: string
-      description: Identifier of the group of processes the process belongs to.
-      default_field: false
-    - name: target.parent.pid
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
       level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: target.parent.ppid
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Short name or login of the user.
+      example: a.einstein
+    - name: user.roles
       level: extended
-      type: long
-      format: string
-      description: Parent process' pid.
-      example: 4241
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: target.parent.start
+  - name: threat
+    title: Threat
+    group: 2
+    description: "Fields to classify events and alerts according to a threat taxonomy\
+      \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
+      \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
+      \ The threat.tactic.* fields are meant to capture the high level category of\
+      \ the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
+      \ which kind of approach is used by this detected threat, to accomplish the\
+      \ goal (e.g. \"endpoint denial of service\")."
+    type: group
+    default_field: true
+    fields:
+    - name: enrichments
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: nested
+      description: A list of associated indicators objects enriching the event, and
+        the context of that association/enrichment.
       default_field: false
-    - name: target.parent.thread.id
+    - name: enrichments.indicator
       level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
+      type: object
+      description: Object containing associated indicators enriching the event.
       default_field: false
-    - name: target.parent.thread.name
+    - name: enrichments.indicator.as.number
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
       default_field: false
-    - name: target.parent.title
+    - name: enrichments.indicator.as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: target.parent.uptime
+    - name: enrichments.indicator.confidence
       level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
+      type: keyword
+      ignore_above: 1024
+      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
+        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
+        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
+        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
+      example: Medium
       default_field: false
-    - name: target.parent.working_directory
+    - name: enrichments.indicator.description
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
       default_field: false
-    - name: target.pe.architecture
+    - name: enrichments.indicator.email.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
+      default_field: false
+    - name: enrichments.indicator.file.accessed
+      level: extended
+      type: date
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
       default_field: false
-    - name: target.pe.authentihash
+    - name: enrichments.indicator.file.attributes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
       default_field: false
-    - name: target.pe.company
+    - name: enrichments.indicator.file.code_signature.digest_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: target.pe.compile_timestamp
+    - name: enrichments.indicator.file.code_signature.signing_id
       level: extended
-      type: date
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: target.pe.compiler.name
+    - name: enrichments.indicator.file.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the compiler
-      example: Clang
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
       default_field: false
-    - name: target.pe.compiler.version
+    - name: enrichments.indicator.file.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the compiler.
-      example: 11.0.0
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: target.pe.creation_date
+    - name: enrichments.indicator.file.code_signature.timestamp
       level: extended
       type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
       default_field: false
-    - name: target.pe.debug
+    - name: enrichments.indicator.file.code_signature.trusted
       level: extended
-      type: nested
-      description: 'An array containing an object for each debug entry, if present.
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
 
-        The expected fields for this nested object fall under the `debug.` prefix.'
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
       default_field: false
-    - name: target.pe.debug.offset
+    - name: enrichments.indicator.file.code_signature.valid
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Debug offset information.
-      example: 1296336
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
       default_field: false
-    - name: target.pe.debug.size
+    - name: enrichments.indicator.file.created
       level: extended
-      type: long
-      format: bytes
-      description: Size of the debug information.
-      example: 816
+      type: date
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
       default_field: false
-    - name: target.pe.debug.timestamp
+    - name: enrichments.indicator.file.ctime
       level: extended
       type: date
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
       default_field: false
-    - name: target.pe.debug.type
+    - name: enrichments.indicator.file.device
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
+      description: Device that is the source of the file.
+      example: sda
       default_field: false
-    - name: target.pe.description
+    - name: enrichments.indicator.file.directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
       default_field: false
-    - name: target.pe.entry_point
+    - name: enrichments.indicator.file.drive_letter
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
       default_field: false
-    - name: target.pe.exports
+    - name: enrichments.indicator.file.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: target.pe.file_version
+    - name: enrichments.indicator.file.elf.byte_order
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: target.pe.icon.hash.dhash
+    - name: enrichments.indicator.file.elf.cpu_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: target.pe.imphash
+    - name: enrichments.indicator.file.elf.creation_date
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
       default_field: false
-    - name: target.pe.imports
+    - name: enrichments.indicator.file.elf.exports
       level: extended
       type: flattened
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
-      default_field: false
-    - name: target.pe.machine_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
+      description: List of exported element names and types.
       default_field: false
-    - name: target.pe.original_file_name
+    - name: enrichments.indicator.file.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: target.pe.packers
+    - name: enrichments.indicator.file.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
+      description: Header class of the ELF file.
       default_field: false
-    - name: target.pe.product
+    - name: enrichments.indicator.file.elf.header.data
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      default_field: false
-    - name: target.pe.resources
-      level: extended
-      type: nested
-      description: 'An array containing an object for each PE resource, if present.
-
-        The expected fields for this nested object fall under the `resources.` prefix.'
-      default_field: false
-    - name: target.pe.resources.chi2
-      level: extended
-      type: long
-      description: Chi-square probability distribution.
-      example: -1
+      description: Data table of the ELF header.
       default_field: false
-    - name: target.pe.resources.entropy
+    - name: enrichments.indicator.file.elf.header.entrypoint
       level: extended
       type: long
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
+      format: string
+      description: Header entrypoint of the ELF file.
       default_field: false
-    - name: target.pe.resources.filetype
+    - name: enrichments.indicator.file.elf.header.object_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type of the resources section.
-      example: Data
+      description: '"0x1" for original ELF files.'
       default_field: false
-    - name: target.pe.resources.language
+    - name: enrichments.indicator.file.elf.header.os_abi
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
+      description: Application Binary Interface (ABI) of the Linux OS.
       default_field: false
-    - name: target.pe.resources.sha256
+    - name: enrichments.indicator.file.elf.header.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      description: Header type of the ELF file.
       default_field: false
-    - name: target.pe.resources.type
+    - name: enrichments.indicator.file.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
+      description: Version of the ELF header.
       default_field: false
-    - name: target.pe.rich_header.hash.md5
+    - name: enrichments.indicator.file.elf.imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: target.pe.sections
+    - name: enrichments.indicator.file.elf.sections
       level: extended
       type: nested
-      description: Data about sections of compiled binary PE
-      default_field: false
-    - name: target.pe.sections.chi2
-      level: extended
-      type: long
-      description: Chi-square probability distribution.
-      example: 3027194
-      default_field: false
-    - name: target.pe.sections.entropy
-      level: extended
-      type: float
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
-      default_field: false
-    - name: target.pe.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Section flags of the file.
-      example: rx
-      default_field: false
-    - name: target.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Section names of the file.
-      example: .text, .data
-      default_field: false
-    - name: target.pe.sections.raw_size
-      level: extended
-      type: long
-      format: bytes
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      default_field: false
-    - name: target.pe.sections.virtual_address
-      level: extended
-      type: long
-      format: bytes
-      description: Virtual address available to the file.
-      example: 8192
-      default_field: false
-    - name: target.pgid
-      level: extended
-      type: long
-      format: string
-      description: Identifier of the group of processes the process belongs to.
-      default_field: false
-    - name: target.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: target.ppid
-      level: extended
-      type: long
-      format: string
-      description: Parent process' pid.
-      example: 4241
-      default_field: false
-    - name: target.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: target.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: target.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: target.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
+      description: 'An array containing an object for each section of the ELF file.
 
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
       default_field: false
-    - name: target.uptime
+    - name: enrichments.indicator.file.elf.sections.chi2
       level: extended
       type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: target.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      format: number
+      description: Chi-square probability distribution of the section.
       default_field: false
-    - name: thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-    - name: thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-    - name: title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-    - name: uptime
+    - name: enrichments.indicator.file.elf.sections.entropy
       level: extended
       type: long
-      description: Seconds the process has been up.
-      example: 1325
-    - name: working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: The working directory of the process.
-      example: /home/alice
-  - name: registry
-    title: Registry
-    group: 2
-    description: Fields related to Windows Registry operations.
-    type: group
-    fields:
-    - name: data.bytes
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      default_field: false
-    - name: data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
-
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
-      default_field: false
-    - name: data.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
-      default_field: false
-    - name: hive
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: key
-      level: core
+    - name: enrichments.indicator.file.elf.sections.flags
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-      default_field: false
-    - name: path
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
-      default_field: false
-    - name: value
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
-      default_field: false
-  - name: related
-    title: Related
-    group: 2
-    description: 'This field set is meant to facilitate pivoting around a piece of
-      data.
-
-      Some pieces of information can be seen in many places in an ECS event. To facilitate
-      searching for them, store an array of all seen values to their corresponding
-      field in `related.`.
-
-      A concrete example is IP addresses, which can be under host, observer, source,
-      destination, client, server, and network.forwarded_ip. If you append all IPs
-      to `related.ip`, you can then search for a given IP trivially, no matter where
-      it appeared, by querying `related.ip:192.0.2.15`.'
-    type: group
-    fields:
-    - name: hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: All the hashes seen on your event. Populating this field, then
-        using it to search for hashes can help in situations where you're unsure what
-        the hash algorithm is (and therefore which key name to search).
-      default_field: false
-    - name: hosts
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: All hostnames or other host identifiers seen on your event. Example
-        identifiers include FQDNs, domain names, workstation names, or aliases.
-      default_field: false
-    - name: ip
-      level: extended
-      type: ip
-      description: All of the IPs seen on your event.
-    - name: user
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: All the user names or other user identifiers seen on the event.
-      default_field: false
-  - name: rule
-    title: Rule
-    group: 2
-    description: 'Rule fields are used to capture the specifics of any observer or
-      agent rules that generate alerts or other notable events.
-
-      Examples of data sources that would populate the rule fields include: network
-      admission control platforms, network or host IDS/IPS, network firewalls, web
-      application firewalls, url filters, endpoint detection and response (EDR) systems,
-      etc.'
-    type: group
-    fields:
-    - name: author
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name, organization, or pseudonym of the author or authors who created
-        the rule used to generate this event.
-      example: '["Star-Lord"]'
-      default_field: false
-    - name: category
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A categorization value keyword used by the entity using the rule
-        for detection of this event.
-      example: Attempted Information Leak
-      default_field: false
-    - name: description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The description of the rule generating the event.
-      example: Block requests to public DNS over HTTPS / TLS protocols
-      default_field: false
-    - name: id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A rule ID that is unique within the scope of an agent, observer,
-        or other entity using the rule for detection of this event.
-      example: 101
-      default_field: false
-    - name: license
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the license under which the rule used to generate this
-        event is made available.
-      example: Apache 2.0
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The name of the rule or signature generating the event.
-      example: BLOCK_DNS_over_TLS
-      default_field: false
-    - name: reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Reference URL to additional information about the rule used to
-        generate this event.
-
-        The URL can point to the vendor''s documentation about the rule. If that''s
-        not available, it can also be a link to a more general page describing this
-        type of alert.'
-      example: https://en.wikipedia.org/wiki/DNS_over_TLS
-      default_field: false
-    - name: ruleset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the ruleset, policy, group, or parent category in which
-        the rule used to generate this event is a member.
-      example: Standard_Protocol_Filters
-      default_field: false
-    - name: uuid
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A rule ID that is unique within the scope of a set or group of
-        agents, observers, or other entities using the rule for detection of this
-        event.
-      example: 1100110011
-      default_field: false
-    - name: version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The version / revision of the rule being used for analysis.
-      example: 1.1
-      default_field: false
-  - name: server
-    title: Server
-    group: 2
-    description: 'A Server is defined as the responder in a network connection for
-      events regarding sessions, connections, or bidirectional flow records.
-
-      For TCP events, the server is the receiver of the initial SYN packet(s) of the
-      TCP connection. For other protocols, the server is generally the responder in
-      the network transaction. Some systems actually use the term "responder" to refer
-      the server in TCP connections. The server fields describe details about the
-      system acting as the server in the network event. Server fields are usually
-      populated in conjunction with client fields. Server fields are generally not
-      populated for packet-level events.
-
-      Client / server representations can add semantic context to an exchange, which
-      is helpful to visualize the data in certain situations. If your context falls
-      in that category, you should still ensure that source and destination are filled
-      appropriately.'
-    type: group
-    fields:
-    - name: address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event server addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-    - name: as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-    - name: as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Organization name.
-      example: Google LLC
-    - name: bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the server to the client.
-      example: 184
-    - name: domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Server domain.
-    - name: geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: ip
-      level: core
-      type: ip
-      description: IP address of the server (IPv4 or IPv6).
-    - name: mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the server.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-    - name: nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of destination based NAT sessions (e.g. internet
-        to private DMZ)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of destination based NAT sessions (e.g. internet
-        to private DMZ)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: packets
-      level: core
-      type: long
-      description: Packets sent from the server to the client.
-      example: 12
-    - name: port
-      level: core
-      type: long
-      format: string
-      description: Port of the server.
-    - name: registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered server domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (http://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (http://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-    - name: user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-    - name: user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-    - name: user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-    - name: user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Short name or login of the user.
-      example: a.einstein
-    - name: user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-  - name: service
-    title: Service
-    group: 2
-    description: 'The service fields describe the service for or from which the data
-      was collected.
-
-      These fields help you find and correlate logs for a specific service and version.'
-    type: group
-    fields:
-    - name: address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Address where data about this service was collected from.
-
-        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-        path (sockets).'
-      example: 172.26.0.2:5432
-      default_field: false
-    - name: environment
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Identifies the environment where the service is running.
-
-        If the same service runs in different environments (production, staging, QA,
-        development, etc.), the environment can identify other instances of the same
-        service. Can also group services and applications from the same environment.'
-      example: production
-      default_field: false
-    - name: ephemeral_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Ephemeral identifier of this service (if one exists).
-
-        This id normally changes across restarts, but `service.id` does not.'
-      example: 8a4f500f
-    - name: id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the running service. If the service is comprised
-        of many nodes, the `service.id` should be the same for all nodes.
-
-        This id should uniquely identify the service. This makes it possible to correlate
-        logs and metrics for one specific service, no matter which particular node
-        emitted the event.
-
-        Note that if you need to see the events from one specific host of the service,
-        you should filter on that `host.name` or `host.id` instead.'
-      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-    - name: name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the service data is collected from.
-
-        The name of the service is normally user given. This allows for distributed
-        services that run on multiple hosts to correlate the related instances based
-        on the name.
-
-        In the case of Elasticsearch the `service.name` could contain the cluster
-        name. For Beats the `service.name` is by default a copy of the `service.type`
-        field if no name is specified.'
-      example: elasticsearch-metrics
-    - name: node.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of a service node.
-
-        This allows for two nodes of the same service running on the same host to
-        be differentiated. Therefore, `service.node.name` should typically be unique
-        across nodes of a given service.
-
-        In the case of Elasticsearch, the `service.node.name` could contain the unique
-        node name within the Elasticsearch cluster. In cases where the service doesn''t
-        have the concept of a node name, the host name or container name can be used
-        to distinguish running instances that make up this service. If those do not
-        provide uniqueness (e.g. multiple instances of the service running on the
-        same host) - the node name can be manually set.'
-      example: instance-0000000016
-    - name: state
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Current state of the service.
-    - name: type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of the service data is collected from.
-
-        The type can be used to group and correlate logs and metrics from one service
-        type.
-
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
-    - name: version
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Version of the service the data was collected from.
-
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
-  - name: source
-    title: Source
-    group: 2
-    description: 'Source fields capture details about the sender of a network exchange/packet.
-      These fields are populated from a network event, packet, or other event containing
-      details of a network transaction.
-
-      Source fields are usually populated in conjunction with destination fields.
-      The source and destination fields are considered the baseline and should always
-      be filled if an event contains source and destination details from a network
-      transaction. If the event also contains identification of the client and server
-      roles, then the client and server fields should also be populated.'
-    type: group
-    fields:
-    - name: address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-    - name: as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-    - name: as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Organization name.
-      example: Google LLC
-    - name: bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-    - name: domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Source domain.
-    - name: geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-    - name: mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-    - name: nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-    - name: nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-    - name: port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-    - name: registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (http://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: subdomain
+      description: ELF Section List flags.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      description: ELF Section List name.
       default_field: false
-    - name: top_level_domain
+    - name: enrichments.indicator.file.elf.sections.physical_offset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (http://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: user.domain
+      description: ELF Section List offset.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      description: ELF Section List type.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: enrichments.indicator.file.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
 
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.email
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
-    - name: user.full_name
+      description: ELF object segment sections.
+      default_field: false
+    - name: enrichments.indicator.file.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
+      description: ELF object segment type.
+      default_field: false
+    - name: enrichments.indicator.file.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: enrichments.indicator.file.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: enrichments.indicator.file.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
-    - name: user.hash
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+      default_field: false
+    - name: enrichments.indicator.file.fork_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+      description: 'A fork is additional data associated with a filesystem object.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-    - name: user.id
-      level: core
+        On Linux, a resource fork is used to store additional data with a filesystem
+        object. A file always has at least one fork for the data portion, and additional
+        forks may exist.
+
+        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+        data stream for a file is just called $DATA. Zone.Identifier is commonly used
+        by Windows to track contents downloaded from the Internet. An ADS is typically
+        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+        is the value that should populate `fork_name`. `filename.extension` should
+        populate `file.name`, and `extension` should populate `file.extension`. The
+        full path, `file.path`, will include the fork name.'
+      example: Zone.Identifer
+      default_field: false
+    - name: enrichments.indicator.file.gid
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-    - name: user.name
-      level: core
+      description: Primary group ID (GID) of the file.
+      example: '1001'
+      default_field: false
+    - name: enrichments.indicator.file.group
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Short name or login of the user.
-      example: a.einstein
-    - name: user.roles
+      description: Primary group name of the file.
+      example: alice
+      default_field: false
+    - name: enrichments.indicator.file.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: MD5 hash.
       default_field: false
-  - name: threat
-    title: Threat
-    group: 2
-    description: "Fields to classify events and alerts according to a threat taxonomy\
-      \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
-      \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
-      \ The threat.tactic.* fields are meant to capture the high level category of\
-      \ the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
-      \ which kind of approach is used by this detected threat, to accomplish the\
-      \ goal (e.g. \"endpoint denial of service\")."
-    type: group
-    fields:
-    - name: enrichments
+    - name: enrichments.indicator.file.hash.sha1
       level: extended
-      type: nested
-      description: A list of associated indicators objects enriching the event, and
-        the context of that association/enrichment.
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
       default_field: false
-    - name: enrichments.indicator
+    - name: enrichments.indicator.file.hash.sha256
       level: extended
-      type: object
-      description: Object containing associated indicators enriching the event.
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
       default_field: false
-    - name: enrichments.indicator.as.number
+    - name: enrichments.indicator.file.hash.sha512
       level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
       default_field: false
-    - name: enrichments.indicator.as.organization.name
+    - name: enrichments.indicator.file.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
+      description: SSDEEP hash.
       default_field: false
-    - name: enrichments.indicator.confidence
+    - name: enrichments.indicator.file.inode
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
-        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
-        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
-        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
-      example: Medium
+      description: Inode representing the file in the filesystem.
+      example: '256383'
       default_field: false
-    - name: enrichments.indicator.description
+    - name: enrichments.indicator.file.mime_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Describes the type of action conducted by the threat.
-      example: IP x.x.x.x was observed delivering the Angler EK.
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
       default_field: false
-    - name: enrichments.indicator.email.address
+    - name: enrichments.indicator.file.mode
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies a threat indicator as an email address (irrespective
-        of direction).
-      example: phish@example.com
+      description: Mode of the file in octal representation.
+      example: '0640'
       default_field: false
-    - name: enrichments.indicator.file.accessed
+    - name: enrichments.indicator.file.mtime
       level: extended
       type: date
-      description: 'Last time the file was accessed.
-
-        Note that not all filesystems keep track of access time.'
+      description: Last time the file content was modified.
       default_field: false
-    - name: enrichments.indicator.file.attributes
+    - name: enrichments.indicator.file.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of file attributes.
-
-        Attributes names will vary by platform. Here''s a non-exhaustive list of values
-        that are expected in this field: archive, compressed, directory, encrypted,
-        execute, hidden, read, readonly, system, write.'
-      example: '["readonly", "system"]'
+      description: Name of the file including the extension, without the directory.
+      example: example.png
       default_field: false
-    - name: enrichments.indicator.file.code_signature.digest_algorithm
+    - name: enrichments.indicator.file.owner
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
+      description: File owner's username.
+      example: alice
       default_field: false
-    - name: enrichments.indicator.file.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+    - name: enrichments.indicator.file.path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
       default_field: false
-    - name: enrichments.indicator.file.code_signature.signing_id
+    - name: enrichments.indicator.file.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: enrichments.indicator.file.code_signature.status
+    - name: enrichments.indicator.file.pe.authentihash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
       default_field: false
-    - name: enrichments.indicator.file.code_signature.subject_name
-      level: core
+    - name: enrichments.indicator.file.pe.company
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
+      description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: enrichments.indicator.file.code_signature.team_id
+    - name: enrichments.indicator.file.pe.compile_timestamp
+      level: extended
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.file.pe.compiler.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+      description: Name of the compiler
+      example: Clang
       default_field: false
-    - name: enrichments.indicator.file.code_signature.timestamp
+    - name: enrichments.indicator.file.pe.compiler.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compiler.
+      example: 11.0.0
+      default_field: false
+    - name: enrichments.indicator.file.pe.creation_date
       level: extended
       type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.file.code_signature.trusted
+    - name: enrichments.indicator.file.pe.debug
       level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
 
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
+        The expected fields for this nested object fall under the `debug.` prefix.'
       default_field: false
-    - name: enrichments.indicator.file.code_signature.valid
+    - name: enrichments.indicator.file.pe.debug.offset
       level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+      type: keyword
+      ignore_above: 1024
+      description: Debug offset information.
+      example: 1296336
       default_field: false
-    - name: enrichments.indicator.file.created
+    - name: enrichments.indicator.file.pe.debug.size
       level: extended
-      type: date
-      description: 'File creation time.
-
-        Note that not all filesystems store the creation time.'
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
       default_field: false
-    - name: enrichments.indicator.file.ctime
+    - name: enrichments.indicator.file.pe.debug.timestamp
       level: extended
       type: date
-      description: 'Last time the file attributes or metadata changed.
-
-        Note that changes to the file content will update `mtime`. This implies `ctime`
-        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.file.device
+    - name: enrichments.indicator.file.pe.debug.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Device that is the source of the file.
-      example: sda
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
       default_field: false
-    - name: enrichments.indicator.file.directory
+    - name: enrichments.indicator.file.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Directory where the file is located. It should include the drive
-        letter, when appropriate.
-      example: /home/alice
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: enrichments.indicator.file.drive_letter
+    - name: enrichments.indicator.file.pe.entry_point
       level: extended
       type: keyword
-      ignore_above: 1
-      description: 'Drive letter where the file is located. This field is only relevant
-        on Windows.
-
-        The value should be uppercase, and not include the colon.'
-      example: C
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
       default_field: false
-    - name: enrichments.indicator.file.elf.architecture
+    - name: enrichments.indicator.file.pe.exports
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
       default_field: false
-    - name: enrichments.indicator.file.elf.byte_order
+    - name: enrichments.indicator.file.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: enrichments.indicator.file.elf.cpu_type
+    - name: enrichments.indicator.file.pe.icon.hash.dhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
       default_field: false
-    - name: enrichments.indicator.file.elf.creation_date
+    - name: enrichments.indicator.file.pe.imphash
       level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: enrichments.indicator.file.elf.exports
+    - name: enrichments.indicator.file.pe.imports
       level: extended
       type: flattened
-      description: List of exported element names and types.
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
       default_field: false
-    - name: enrichments.indicator.file.elf.header.abi_version
+    - name: enrichments.indicator.file.pe.machine_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
       default_field: false
-    - name: enrichments.indicator.file.elf.header.class
+    - name: enrichments.indicator.file.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: enrichments.indicator.file.elf.header.data
+    - name: enrichments.indicator.file.pe.packers
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
       default_field: false
-    - name: enrichments.indicator.file.elf.header.entrypoint
+    - name: enrichments.indicator.file.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: enrichments.indicator.file.pe.resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: enrichments.indicator.file.pe.resources.chi2
       level: extended
       type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      description: Chi-square probability distribution.
+      example: -1
       default_field: false
-    - name: enrichments.indicator.file.elf.header.object_version
+    - name: enrichments.indicator.file.pe.resources.entropy
+      level: extended
+      type: long
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      default_field: false
+    - name: enrichments.indicator.file.pe.resources.filetype
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: File type of the resources section.
+      example: Data
       default_field: false
-    - name: enrichments.indicator.file.elf.header.os_abi
+    - name: enrichments.indicator.file.pe.resources.language
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
       default_field: false
-    - name: enrichments.indicator.file.elf.header.type
+    - name: enrichments.indicator.file.pe.resources.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
       default_field: false
-    - name: enrichments.indicator.file.elf.header.version
+    - name: enrichments.indicator.file.pe.resources.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
       default_field: false
-    - name: enrichments.indicator.file.elf.imports
+    - name: enrichments.indicator.file.pe.rich_header.hash.md5
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
       default_field: false
-    - name: enrichments.indicator.file.elf.sections
+    - name: enrichments.indicator.file.pe.sections
       level: extended
       type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+      description: Data about sections of compiled binary PE
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.chi2
+    - name: enrichments.indicator.file.pe.sections.chi2
       level: extended
       type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+      description: Chi-square probability distribution.
+      example: 3027194
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.entropy
+    - name: enrichments.indicator.file.pe.sections.entropy
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.flags
+    - name: enrichments.indicator.file.pe.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: Section flags of the file.
+      example: rx
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.name
+    - name: enrichments.indicator.file.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: Section names of the file.
+      example: .text, .data
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.physical_offset
+    - name: enrichments.indicator.file.pe.sections.raw_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.physical_size
+    - name: enrichments.indicator.file.pe.sections.virtual_address
       level: extended
       type: long
       format: bytes
-      description: ELF Section List physical size.
+      description: Virtual address available to the file.
+      example: 8192
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.type
+    - name: enrichments.indicator.file.size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.virtual_address
+    - name: enrichments.indicator.file.target_path
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.virtual_size
+    - name: enrichments.indicator.file.type
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
       default_field: false
-    - name: enrichments.indicator.file.elf.segments
+    - name: enrichments.indicator.file.uid
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
       default_field: false
-    - name: enrichments.indicator.file.elf.segments.sections
+    - name: enrichments.indicator.file.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
       default_field: false
-    - name: enrichments.indicator.file.elf.segments.type
+    - name: enrichments.indicator.file.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: enrichments.indicator.file.elf.shared_libraries
+    - name: enrichments.indicator.file.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: List of country (C) codes
+      example: US
       default_field: false
-    - name: enrichments.indicator.file.elf.telfhash
+    - name: enrichments.indicator.file.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
       default_field: false
-    - name: enrichments.indicator.file.extension
+    - name: enrichments.indicator.file.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'File extension, excluding the leading dot.
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: List of locality names (L)
+      example: Mountain View
       default_field: false
-    - name: enrichments.indicator.file.fork_name
+    - name: enrichments.indicator.file.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A fork is additional data associated with a filesystem object.
-
-        On Linux, a resource fork is used to store additional data with a filesystem
-        object. A file always has at least one fork for the data portion, and additional
-        forks may exist.
-
-        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-        data stream for a file is just called $DATA. Zone.Identifier is commonly used
-        by Windows to track contents downloaded from the Internet. An ADS is typically
-        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-        is the value that should populate `fork_name`. `filename.extension` should
-        populate `file.name`, and `extension` should populate `file.extension`. The
-        full path, `file.path`, will include the fork name.'
-      example: Zone.Identifer
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
       default_field: false
-    - name: enrichments.indicator.file.gid
+    - name: enrichments.indicator.file.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group ID (GID) of the file.
-      example: '1001'
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
       default_field: false
-    - name: enrichments.indicator.file.group
+    - name: enrichments.indicator.file.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group name of the file.
-      example: alice
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: enrichments.indicator.file.inode
+    - name: enrichments.indicator.file.x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: enrichments.indicator.file.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: enrichments.indicator.file.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Inode representing the file in the filesystem.
-      example: '256383'
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: enrichments.indicator.file.mime_type
+    - name: enrichments.indicator.file.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MIME type should identify the format of the file or stream of bytes
-        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
-        official types], where possible. When more than one type is applicable, the
-        most specific type should be used.
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: enrichments.indicator.file.mode
+    - name: enrichments.indicator.file.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
+      default_field: false
+    - name: enrichments.indicator.file.x509.public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: enrichments.indicator.file.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mode of the file in octal representation.
-      example: '0640'
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: enrichments.indicator.file.mtime
+    - name: enrichments.indicator.file.x509.signature_algorithm
       level: extended
-      type: date
-      description: Last time the file content was modified.
+      type: keyword
+      ignore_above: 1024
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: enrichments.indicator.file.name
+    - name: enrichments.indicator.file.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the file including the extension, without the directory.
-      example: example.png
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.file.owner
+    - name: enrichments.indicator.file.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File owner's username.
-      example: alice
+      description: List of country (C) code
+      example: US
       default_field: false
-    - name: enrichments.indicator.file.path
+    - name: enrichments.indicator.file.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.file.size
+    - name: enrichments.indicator.file.x509.subject.locality
       level: extended
-      type: long
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: enrichments.indicator.file.target_path
+    - name: enrichments.indicator.file.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: enrichments.indicator.file.type
+    - name: enrichments.indicator.file.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: enrichments.indicator.file.uid
+    - name: enrichments.indicator.file.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: enrichments.indicator.file.x509.version_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of x509 format.
+      example: 3
       default_field: false
     - name: enrichments.indicator.first_seen
       level: extended
@@ -9105,1382 +8692,1560 @@
       description: Name of the continent.
       example: North America
       default_field: false
-    - name: enrichments.indicator.geo.country_iso_code
-      level: core
+    - name: enrichments.indicator.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: enrichments.indicator.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: enrichments.indicator.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: enrichments.indicator.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: enrichments.indicator.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: enrichments.indicator.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: enrichments.indicator.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: enrichments.indicator.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: enrichments.indicator.ip
+      level: extended
+      type: ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      default_field: false
+    - name: enrichments.indicator.last_seen
+      level: extended
+      type: date
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.marking.tlp
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
+        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+      example: White
+      default_field: false
+    - name: enrichments.indicator.modified_at
+      level: extended
+      type: date
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.port
+      level: extended
+      type: long
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
+      default_field: false
+    - name: enrichments.indicator.provider
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+      description: The name of the indicator's provider.
+      example: lrz_urlhaus
       default_field: false
-    - name: enrichments.indicator.geo.country_name
-      level: core
+    - name: enrichments.indicator.reference
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: enrichments.indicator.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      description: Reference URL linking to additional information about this indicator.
+      example: https://system.example.com/indicator/0001234
       default_field: false
-    - name: enrichments.indicator.geo.name
+    - name: enrichments.indicator.registry.data.bytes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
+      description: 'Original bytes written with base64 encoding.
 
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      default_field: false
+    - name: enrichments.indicator.registry.data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
 
-        Not typically used in automated geolocation.'
-      example: boston-dc
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
       default_field: false
-    - name: enrichments.indicator.geo.postal_code
+    - name: enrichments.indicator.registry.data.type
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+      description: Standard registry type for encoding contents
+      example: REG_SZ
       default_field: false
-    - name: enrichments.indicator.geo.region_iso_code
+    - name: enrichments.indicator.registry.hive
       level: core
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+      description: Abbreviated name for the hive.
+      example: HKLM
       default_field: false
-    - name: enrichments.indicator.geo.region_name
+    - name: enrichments.indicator.registry.key
       level: core
       type: keyword
       ignore_above: 1024
-      description: Region name.
-      example: Quebec
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
-    - name: enrichments.indicator.geo.timezone
+    - name: enrichments.indicator.registry.path
       level: core
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
       default_field: false
-    - name: enrichments.indicator.hash.md5
-      level: extended
+    - name: enrichments.indicator.registry.value
+      level: core
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
+      description: Name of the value written.
+      example: Debugger
+      default_field: false
+    - name: enrichments.indicator.scanner_stats
+      level: extended
+      type: long
+      description: Count of AV/EDR vendors that successfully detected malicious file
+        or URL.
+      example: 4
       default_field: false
-    - name: enrichments.indicator.hash.sha1
+    - name: enrichments.indicator.sightings
+      level: extended
+      type: long
+      description: Number of times this indicator was observed conducting threat activity.
+      example: 20
+      default_field: false
+    - name: enrichments.indicator.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
+      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\
+        \ Recommended values:\n  * autonomous-system\n  * artifact\n  * directory\n\
+        \  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n\
+        \  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n \
+        \ * user-account\n  * windows-registry-key\n  * x509-certificate"
+      example: ipv4-addr
       default_field: false
-    - name: enrichments.indicator.hash.sha256
+    - name: enrichments.indicator.url.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
       default_field: false
-    - name: enrichments.indicator.hash.sha512
+    - name: enrichments.indicator.url.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: enrichments.indicator.hash.ssdeep
+    - name: enrichments.indicator.url.fragment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
       default_field: false
-    - name: enrichments.indicator.ip
+    - name: enrichments.indicator.url.full
       level: extended
-      type: ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
       default_field: false
-    - name: enrichments.indicator.last_seen
+    - name: enrichments.indicator.url.original
       level: extended
-      type: date
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
       default_field: false
-    - name: enrichments.indicator.marking.tlp
+    - name: enrichments.indicator.url.password
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
-        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-      example: White
+      description: Password of the request.
       default_field: false
-    - name: enrichments.indicator.modified_at
+    - name: enrichments.indicator.url.path
       level: extended
-      type: date
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      type: wildcard
+      description: Path of the request, such as "/search".
       default_field: false
-    - name: enrichments.indicator.pe.architecture
+    - name: enrichments.indicator.url.port
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      type: long
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
       default_field: false
-    - name: enrichments.indicator.pe.authentihash
+    - name: enrichments.indicator.url.query
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
       default_field: false
-    - name: enrichments.indicator.pe.company
+    - name: enrichments.indicator.url.registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: enrichments.indicator.pe.compile_timestamp
-      level: extended
-      type: date
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: enrichments.indicator.pe.compiler.name
+    - name: enrichments.indicator.url.scheme
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the compiler
-      example: Clang
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
       default_field: false
-    - name: enrichments.indicator.pe.compiler.version
+    - name: enrichments.indicator.url.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the compiler.
-      example: 11.0.0
-      default_field: false
-    - name: enrichments.indicator.pe.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: enrichments.indicator.pe.debug
-      level: extended
-      type: nested
-      description: 'An array containing an object for each debug entry, if present.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
 
-        The expected fields for this nested object fall under the `debug.` prefix.'
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: enrichments.indicator.pe.debug.offset
+    - name: enrichments.indicator.url.top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Debug offset information.
-      example: 1296336
-      default_field: false
-    - name: enrichments.indicator.pe.debug.size
-      level: extended
-      type: long
-      format: bytes
-      description: Size of the debug information.
-      example: 816
-      default_field: false
-    - name: enrichments.indicator.pe.debug.timestamp
-      level: extended
-      type: date
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: enrichments.indicator.pe.debug.type
+    - name: enrichments.indicator.url.username
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
+      description: Username of the request.
       default_field: false
-    - name: enrichments.indicator.pe.description
+    - name: enrichments.indicator.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
       default_field: false
-    - name: enrichments.indicator.pe.entry_point
+    - name: enrichments.indicator.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: enrichments.indicator.pe.exports
+    - name: enrichments.indicator.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      description: List of country (C) codes
+      example: US
       default_field: false
-    - name: enrichments.indicator.pe.file_version
+    - name: enrichments.indicator.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
       default_field: false
-    - name: enrichments.indicator.pe.icon.hash.dhash
+    - name: enrichments.indicator.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
+      description: List of locality names (L)
+      example: Mountain View
       default_field: false
-    - name: enrichments.indicator.pe.imphash
+    - name: enrichments.indicator.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: enrichments.indicator.pe.imports
-      level: extended
-      type: flattened
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
       default_field: false
-    - name: enrichments.indicator.pe.machine_type
+    - name: enrichments.indicator.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
       default_field: false
-    - name: enrichments.indicator.pe.original_file_name
+    - name: enrichments.indicator.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: enrichments.indicator.pe.packers
+    - name: enrichments.indicator.x509.not_after
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
       default_field: false
-    - name: enrichments.indicator.pe.product
+    - name: enrichments.indicator.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: enrichments.indicator.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: enrichments.indicator.pe.resources
+    - name: enrichments.indicator.x509.public_key_curve
       level: extended
-      type: nested
-      description: 'An array containing an object for each PE resource, if present.
-
-        The expected fields for this nested object fall under the `resources.` prefix.'
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: enrichments.indicator.pe.resources.chi2
+    - name: enrichments.indicator.x509.public_key_exponent
       level: extended
       type: long
-      description: Chi-square probability distribution.
-      example: -1
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
       default_field: false
-    - name: enrichments.indicator.pe.resources.entropy
+    - name: enrichments.indicator.x509.public_key_size
       level: extended
       type: long
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
+      description: The size of the public key space in bits.
+      example: 2048
       default_field: false
-    - name: enrichments.indicator.pe.resources.filetype
+    - name: enrichments.indicator.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type of the resources section.
-      example: Data
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: enrichments.indicator.pe.resources.language
+    - name: enrichments.indicator.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: enrichments.indicator.pe.resources.sha256
+    - name: enrichments.indicator.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.pe.resources.type
+    - name: enrichments.indicator.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
+      description: List of country (C) code
+      example: US
       default_field: false
-    - name: enrichments.indicator.pe.rich_header.hash.md5
+    - name: enrichments.indicator.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-      default_field: false
-    - name: enrichments.indicator.pe.sections
-      level: extended
-      type: nested
-      description: Data about sections of compiled binary PE
-      default_field: false
-    - name: enrichments.indicator.pe.sections.chi2
-      level: extended
-      type: long
-      description: Chi-square probability distribution.
-      example: 3027194
-      default_field: false
-    - name: enrichments.indicator.pe.sections.entropy
-      level: extended
-      type: float
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.pe.sections.flags
+    - name: enrichments.indicator.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Section flags of the file.
-      example: rx
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: enrichments.indicator.pe.sections.name
+    - name: enrichments.indicator.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Section names of the file.
-      example: .text, .data
-      default_field: false
-    - name: enrichments.indicator.pe.sections.raw_size
-      level: extended
-      type: long
-      format: bytes
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      default_field: false
-    - name: enrichments.indicator.pe.sections.virtual_address
-      level: extended
-      type: long
-      format: bytes
-      description: Virtual address available to the file.
-      example: 8192
-      default_field: false
-    - name: enrichments.indicator.port
-      level: extended
-      type: long
-      description: Identifies a threat indicator as a port number (irrespective of
-        direction).
-      example: 443
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: enrichments.indicator.provider
+    - name: enrichments.indicator.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The name of the indicator's provider.
-      example: lrz_urlhaus
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: enrichments.indicator.reference
+    - name: enrichments.indicator.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Reference URL linking to additional information about this indicator.
-      example: https://system.example.com/indicator/0001234
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: enrichments.indicator.registry.data.bytes
+    - name: enrichments.indicator.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      default_field: false
-    - name: enrichments.indicator.registry.data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
-
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
-      default_field: false
-    - name: enrichments.indicator.registry.data.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
+      description: Version of x509 format.
+      example: 3
       default_field: false
-    - name: enrichments.indicator.registry.hive
-      level: core
+    - name: enrichments.matched.atomic
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
+      description: Identifies the atomic indicator value that matched a local environment
+        endpoint or network event.
+      example: bad-domain.com
       default_field: false
-    - name: enrichments.indicator.registry.key
-      level: core
+    - name: enrichments.matched.field
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      description: Identifies the field of the atomic indicator that matched a local
+        environment endpoint or network event.
+      example: file.hash.sha256
       default_field: false
-    - name: enrichments.indicator.registry.path
-      level: core
+    - name: enrichments.matched.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
+      description: Identifies the _id of the indicator document enriching the event.
+      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
       default_field: false
-    - name: enrichments.indicator.registry.value
-      level: core
+    - name: enrichments.matched.index
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
+      description: Identifies the _index of the indicator document enriching the event.
+      example: filebeat-8.0.0-2021.05.23-000011
       default_field: false
-    - name: enrichments.indicator.scanner_stats
+    - name: enrichments.matched.occurred
       level: extended
-      type: long
-      description: Count of AV/EDR vendors that successfully detected malicious file
-        or URL.
-      example: 4
+      type: date
+      description: Indicates when the indicator match was generated
+      example: 2021-10-05 17:00:58.326000+00:00
       default_field: false
-    - name: enrichments.indicator.sightings
+    - name: enrichments.matched.type
       level: extended
-      type: long
-      description: Number of times this indicator was observed conducting threat activity.
-      example: 20
+      type: keyword
+      ignore_above: 1024
+      description: Identifies the type of match that caused the event to be enriched
+        with the given indicator
+      example: indicator_match_rule
       default_field: false
-    - name: enrichments.indicator.type
+    - name: framework
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\
-        \ Recommended values:\n  * autonomous-system\n  * artifact\n  * directory\n\
-        \  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n\
-        \  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n \
-        \ * user-account\n  * windows-registry-key\n  * x509-certificate"
-      example: ipv4-addr
+      description: Name of the threat framework used to further categorize and classify
+        the tactic and technique of the reported threat. Framework classification
+        can be provided by detecting systems, evaluated at ingest time, or retrospectively
+        tagged to events.
+      example: MITRE ATT&CK
+    - name: group.alias
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The alias(es) of the group for a set of related intrusion activity\
+        \ that are tracked by a common name in the security community.\nWhile not\
+        \ required, you can use a MITRE ATT&CK\xAE group alias(es)."
+      example: '[ "Magecart Group 6" ]'
       default_field: false
-    - name: enrichments.indicator.url.domain
+    - name: group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Domain of the url, such as "www.elastic.co".
-
-        In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.
-
-        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
-        2732), the `[` and `]` characters should also be captured in the `domain`
-        field.'
-      example: www.elastic.co
+      description: "The id of the group for a set of related intrusion activity that\
+        \ are tracked by a common name in the security community.\nWhile not required,\
+        \ you can use a MITRE ATT&CK\xAE group id."
+      example: G0037
       default_field: false
-    - name: enrichments.indicator.url.extension
+    - name: group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The field contains the file extension from the original request
-        url, excluding the leading dot.
-
-        The file extension is only set if it exists, as not every url has a file extension.
-
-        The leading period must not be included. For example, the value must be "png",
-        not ".png".
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: "The name of the group for a set of related intrusion activity\
+        \ that are tracked by a common name in the security community.\nWhile not\
+        \ required, you can use a MITRE ATT&CK\xAE group name."
+      example: FIN6
       default_field: false
-    - name: enrichments.indicator.url.fragment
+    - name: group.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Portion of the url after the `#`, such as "top".
-
-        The `#` is not part of the fragment.'
+      description: "The reference URL of the group for a set of related intrusion\
+        \ activity that are tracked by a common name in the security community.\n\
+        While not required, you can use a MITRE ATT&CK\xAE group reference URL."
+      example: https://attack.mitre.org/groups/G0037/
       default_field: false
-    - name: enrichments.indicator.url.full
+    - name: indicator.as.number
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: If full URLs are important to your use case, they should be stored
-        in `url.full`, whether this field is reconstructed or present in the event
-        source.
-      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
       default_field: false
-    - name: enrichments.indicator.url.original
+    - name: indicator.as.organization.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Unmodified original url as seen in the event source.
-
-        Note that in network monitoring, the observed URL may be a full URL, whereas
-        in access logs, the URL is often just represented as a path.
-
-        This field is meant to represent the URL as it was observed, complete or not.'
-      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: enrichments.indicator.url.password
+    - name: indicator.confidence
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Password of the request.
-      default_field: false
-    - name: enrichments.indicator.url.path
-      level: extended
-      type: wildcard
-      description: Path of the request, such as "/search".
+      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
+        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
+        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
+        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
+      example: Medium
       default_field: false
-    - name: enrichments.indicator.url.port
+    - name: indicator.description
       level: extended
-      type: long
-      format: string
-      description: Port of the request, such as 443.
-      example: 443
+      type: keyword
+      ignore_above: 1024
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
       default_field: false
-    - name: enrichments.indicator.url.query
+    - name: indicator.email.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
+      default_field: false
+    - name: indicator.file.accessed
+      level: extended
+      type: date
+      description: 'Last time the file was accessed.
 
-        The `?` is excluded from the query string. If a URL contains no `?`, there
-        is no query field. If there is a `?` but no query, the query field exists
-        with an empty string. The `exists` query can be used to differentiate between
-        the two cases.'
+        Note that not all filesystems keep track of access time.'
       default_field: false
-    - name: enrichments.indicator.url.registered_domain
+    - name: indicator.file.attributes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered url domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
+      description: 'Array of file attributes.
 
-        This value can be determined precisely with a list like the public suffix
-        list (http://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
       default_field: false
-    - name: enrichments.indicator.url.scheme
+    - name: indicator.file.code_signature.digest_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Scheme of the request, such as "https".
+      description: 'The hashing algorithm used to sign the process.
 
-        Note: The `:` is not part of the scheme.'
-      example: https
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: enrichments.indicator.url.subdomain
+    - name: indicator.file.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: indicator.file.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
+      description: 'The identifier used to sign the process.
 
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: enrichments.indicator.url.top_level_domain
+    - name: indicator.file.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
+      description: 'Additional information about the certificate status.
 
-        This value can be determined precisely with a list like the public suffix
-        list (http://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: enrichments.indicator.url.username
-      level: extended
+    - name: indicator.file.code_signature.subject_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Username of the request.
+      description: Subject name of the code signer
+      example: Microsoft Corporation
       default_field: false
-    - name: enrichments.indicator.x509.alternative_names
+    - name: indicator.file.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of subject alternative names (SAN). Name types vary by certificate
-        authority and certificate type but commonly contain IP addresses, DNS names
-        (and wildcards), and email addresses.
-      example: '*.elastic.co'
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: enrichments.indicator.x509.issuer.common_name
+    - name: indicator.file.code_signature.timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common name (CN) of issuing certificate authority.
-      example: Example SHA2 High Assurance Server CA
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: indicator.file.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: indicator.file.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: indicator.file.created
+      level: extended
+      type: date
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
+      default_field: false
+    - name: indicator.file.ctime
+      level: extended
+      type: date
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
       default_field: false
-    - name: enrichments.indicator.x509.issuer.country
+    - name: indicator.file.device
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country (C) codes
-      example: US
+      description: Device that is the source of the file.
+      example: sda
       default_field: false
-    - name: enrichments.indicator.x509.issuer.distinguished_name
+    - name: indicator.file.directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of issuing certificate authority.
-      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
-        Server CA
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
       default_field: false
-    - name: enrichments.indicator.x509.issuer.locality
+    - name: indicator.file.drive_letter
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: Mountain View
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
       default_field: false
-    - name: enrichments.indicator.x509.issuer.organization
+    - name: indicator.file.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of issuing certificate authority.
-      example: Example Inc
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: enrichments.indicator.x509.issuer.organizational_unit
+    - name: indicator.file.elf.byte_order
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of issuing certificate authority.
-      example: www.example.com
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: enrichments.indicator.x509.issuer.state_or_province
+    - name: indicator.file.elf.cpu_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: enrichments.indicator.x509.not_after
+    - name: indicator.file.elf.creation_date
       level: extended
       type: date
-      description: Time at which the certificate is no longer considered valid.
-      example: 2020-07-16 03:15:39+00:00
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
       default_field: false
-    - name: enrichments.indicator.x509.not_before
+    - name: indicator.file.elf.exports
       level: extended
-      type: date
-      description: Time at which the certificate is first considered valid.
-      example: 2019-08-16 01:40:25+00:00
+      type: flattened
+      description: List of exported element names and types.
       default_field: false
-    - name: enrichments.indicator.x509.public_key_algorithm
+    - name: indicator.file.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: enrichments.indicator.x509.public_key_curve
+    - name: indicator.file.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
+      description: Header class of the ELF file.
       default_field: false
-    - name: enrichments.indicator.x509.public_key_exponent
+    - name: indicator.file.elf.header.data
       level: extended
-      type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
       default_field: false
-    - name: enrichments.indicator.x509.public_key_size
+    - name: indicator.file.elf.header.entrypoint
       level: extended
       type: long
-      description: The size of the public key space in bits.
-      example: 2048
+      format: string
+      description: Header entrypoint of the ELF file.
       default_field: false
-    - name: enrichments.indicator.x509.serial_number
+    - name: indicator.file.elf.header.object_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        if this value is alphanumeric, it should be formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
+      description: '"0x1" for original ELF files.'
       default_field: false
-    - name: enrichments.indicator.x509.signature_algorithm
+    - name: indicator.file.elf.header.os_abi
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
+      description: Application Binary Interface (ABI) of the Linux OS.
       default_field: false
-    - name: enrichments.indicator.x509.subject.common_name
+    - name: indicator.file.elf.header.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
+      description: Header type of the ELF file.
       default_field: false
-    - name: enrichments.indicator.x509.subject.country
+    - name: indicator.file.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country (C) code
-      example: US
+      description: Version of the ELF header.
       default_field: false
-    - name: enrichments.indicator.x509.subject.distinguished_name
+    - name: indicator.file.elf.imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: enrichments.indicator.x509.subject.locality
+    - name: indicator.file.elf.sections
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
       default_field: false
-    - name: enrichments.indicator.x509.subject.organization
+    - name: indicator.file.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: indicator.file.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
+      description: ELF Section List flags.
       default_field: false
-    - name: enrichments.indicator.x509.subject.organizational_unit
+    - name: indicator.file.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of subject.
+      description: ELF Section List name.
       default_field: false
-    - name: enrichments.indicator.x509.subject.state_or_province
+    - name: indicator.file.elf.sections.physical_offset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      description: ELF Section List offset.
       default_field: false
-    - name: enrichments.indicator.x509.version_number
+    - name: indicator.file.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: indicator.file.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
+      description: ELF Section List type.
       default_field: false
-    - name: enrichments.matched.atomic
+    - name: indicator.file.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: indicator.file.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: indicator.file.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: indicator.file.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the atomic indicator value that matched a local environment
-        endpoint or network event.
-      example: bad-domain.com
+      description: ELF object segment sections.
       default_field: false
-    - name: enrichments.matched.field
+    - name: indicator.file.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the field of the atomic indicator that matched a local
-        environment endpoint or network event.
-      example: file.hash.sha256
+      description: ELF object segment type.
       default_field: false
-    - name: enrichments.matched.id
+    - name: indicator.file.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the _id of the indicator document enriching the event.
-      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: enrichments.matched.index
+    - name: indicator.file.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the _index of the indicator document enriching the event.
-      example: filebeat-8.0.0-2021.05.23-000011
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: enrichments.matched.type
+    - name: indicator.file.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the type of match that caused the event to be enriched
-        with the given indicator
-      example: indicator_match_rule
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: framework
+    - name: indicator.file.fork_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the threat framework used to further categorize and classify
-        the tactic and technique of the reported threat. Framework classification
-        can be provided by detecting systems, evaluated at ingest time, or retrospectively
-        tagged to events.
-      example: MITRE ATT&CK
-    - name: group.alias
+      description: 'A fork is additional data associated with a filesystem object.
+
+        On Linux, a resource fork is used to store additional data with a filesystem
+        object. A file always has at least one fork for the data portion, and additional
+        forks may exist.
+
+        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+        data stream for a file is just called $DATA. Zone.Identifier is commonly used
+        by Windows to track contents downloaded from the Internet. An ADS is typically
+        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+        is the value that should populate `fork_name`. `filename.extension` should
+        populate `file.name`, and `extension` should populate `file.extension`. The
+        full path, `file.path`, will include the fork name.'
+      example: Zone.Identifer
+      default_field: false
+    - name: indicator.file.gid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The alias(es) of the group for a set of related intrusion activity\
-        \ that are tracked by a common name in the security community.\nWhile not\
-        \ required, you can use a MITRE ATT&CK\xAE group alias(es)."
-      example: '[ "Magecart Group 6" ]'
+      description: Primary group ID (GID) of the file.
+      example: '1001'
       default_field: false
-    - name: group.id
+    - name: indicator.file.group
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The id of the group for a set of related intrusion activity that\
-        \ are tracked by a common name in the security community.\nWhile not required,\
-        \ you can use a MITRE ATT&CK\xAE group id."
-      example: G0037
+      description: Primary group name of the file.
+      example: alice
+      default_field: false
+    - name: indicator.file.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
       default_field: false
-    - name: group.name
+    - name: indicator.file.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The name of the group for a set of related intrusion activity\
-        \ that are tracked by a common name in the security community.\nWhile not\
-        \ required, you can use a MITRE ATT&CK\xAE group name."
-      example: FIN6
+      description: SHA1 hash.
       default_field: false
-    - name: group.reference
+    - name: indicator.file.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The reference URL of the group for a set of related intrusion\
-        \ activity that are tracked by a common name in the security community.\n\
-        While not required, you can use a MITRE ATT&CK\xAE group reference URL."
-      example: https://attack.mitre.org/groups/G0037/
+      description: SHA256 hash.
       default_field: false
-    - name: indicator.as.number
+    - name: indicator.file.hash.sha512
       level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
       default_field: false
-    - name: indicator.as.organization.name
+    - name: indicator.file.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
+      description: SSDEEP hash.
       default_field: false
-    - name: indicator.confidence
+    - name: indicator.file.inode
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
-        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
-        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
-        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
-      example: Medium
+      description: Inode representing the file in the filesystem.
+      example: '256383'
       default_field: false
-    - name: indicator.description
+    - name: indicator.file.mime_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Describes the type of action conducted by the threat.
-      example: IP x.x.x.x was observed delivering the Angler EK.
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
       default_field: false
-    - name: indicator.email.address
+    - name: indicator.file.mode
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies a threat indicator as an email address (irrespective
-        of direction).
-      example: phish@example.com
+      description: Mode of the file in octal representation.
+      example: '0640'
       default_field: false
-    - name: indicator.file.accessed
+    - name: indicator.file.mtime
       level: extended
       type: date
-      description: 'Last time the file was accessed.
-
-        Note that not all filesystems keep track of access time.'
+      description: Last time the file content was modified.
       default_field: false
-    - name: indicator.file.attributes
+    - name: indicator.file.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of file attributes.
-
-        Attributes names will vary by platform. Here''s a non-exhaustive list of values
-        that are expected in this field: archive, compressed, directory, encrypted,
-        execute, hidden, read, readonly, system, write.'
-      example: '["readonly", "system"]'
+      description: Name of the file including the extension, without the directory.
+      example: example.png
       default_field: false
-    - name: indicator.file.code_signature.digest_algorithm
+    - name: indicator.file.owner
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
+      description: File owner's username.
+      example: alice
       default_field: false
-    - name: indicator.file.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+    - name: indicator.file.path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
       default_field: false
-    - name: indicator.file.code_signature.signing_id
+    - name: indicator.file.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: indicator.file.code_signature.status
+    - name: indicator.file.pe.authentihash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
       default_field: false
-    - name: indicator.file.code_signature.subject_name
-      level: core
+    - name: indicator.file.pe.company
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
+      description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: indicator.file.code_signature.team_id
+    - name: indicator.file.pe.compile_timestamp
+      level: extended
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.file.pe.compiler.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+      description: Name of the compiler
+      example: Clang
       default_field: false
-    - name: indicator.file.code_signature.timestamp
+    - name: indicator.file.pe.compiler.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compiler.
+      example: 11.0.0
+      default_field: false
+    - name: indicator.file.pe.creation_date
       level: extended
       type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: indicator.file.code_signature.trusted
+    - name: indicator.file.pe.debug
       level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
 
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
+        The expected fields for this nested object fall under the `debug.` prefix.'
       default_field: false
-    - name: indicator.file.code_signature.valid
+    - name: indicator.file.pe.debug.offset
       level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+      type: keyword
+      ignore_above: 1024
+      description: Debug offset information.
+      example: 1296336
       default_field: false
-    - name: indicator.file.created
+    - name: indicator.file.pe.debug.size
       level: extended
-      type: date
-      description: 'File creation time.
-
-        Note that not all filesystems store the creation time.'
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
       default_field: false
-    - name: indicator.file.ctime
+    - name: indicator.file.pe.debug.timestamp
       level: extended
       type: date
-      description: 'Last time the file attributes or metadata changed.
-
-        Note that changes to the file content will update `mtime`. This implies `ctime`
-        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: indicator.file.device
+    - name: indicator.file.pe.debug.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Device that is the source of the file.
-      example: sda
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
       default_field: false
-    - name: indicator.file.directory
+    - name: indicator.file.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Directory where the file is located. It should include the drive
-        letter, when appropriate.
-      example: /home/alice
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: indicator.file.drive_letter
+    - name: indicator.file.pe.entry_point
       level: extended
       type: keyword
-      ignore_above: 1
-      description: 'Drive letter where the file is located. This field is only relevant
-        on Windows.
-
-        The value should be uppercase, and not include the colon.'
-      example: C
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
       default_field: false
-    - name: indicator.file.elf.architecture
+    - name: indicator.file.pe.exports
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
       default_field: false
-    - name: indicator.file.elf.byte_order
+    - name: indicator.file.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: indicator.file.elf.cpu_type
+    - name: indicator.file.pe.icon.hash.dhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
       default_field: false
-    - name: indicator.file.elf.creation_date
+    - name: indicator.file.pe.imphash
       level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: indicator.file.elf.exports
+    - name: indicator.file.pe.imports
       level: extended
       type: flattened
-      description: List of exported element names and types.
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
       default_field: false
-    - name: indicator.file.elf.header.abi_version
+    - name: indicator.file.pe.machine_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
       default_field: false
-    - name: indicator.file.elf.header.class
+    - name: indicator.file.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: indicator.file.elf.header.data
+    - name: indicator.file.pe.packers
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      default_field: false
+    - name: indicator.file.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: indicator.file.pe.resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: indicator.file.pe.resources.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: -1
       default_field: false
-    - name: indicator.file.elf.header.entrypoint
+    - name: indicator.file.pe.resources.entropy
       level: extended
       type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
       default_field: false
-    - name: indicator.file.elf.header.object_version
+    - name: indicator.file.pe.resources.filetype
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: File type of the resources section.
+      example: Data
       default_field: false
-    - name: indicator.file.elf.header.os_abi
+    - name: indicator.file.pe.resources.language
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
       default_field: false
-    - name: indicator.file.elf.header.type
+    - name: indicator.file.pe.resources.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
       default_field: false
-    - name: indicator.file.elf.header.version
+    - name: indicator.file.pe.resources.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
       default_field: false
-    - name: indicator.file.elf.imports
+    - name: indicator.file.pe.rich_header.hash.md5
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
       default_field: false
-    - name: indicator.file.elf.sections
+    - name: indicator.file.pe.sections
       level: extended
       type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+      description: Data about sections of compiled binary PE
       default_field: false
-    - name: indicator.file.elf.sections.chi2
+    - name: indicator.file.pe.sections.chi2
       level: extended
       type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+      description: Chi-square probability distribution.
+      example: 3027194
       default_field: false
-    - name: indicator.file.elf.sections.entropy
+    - name: indicator.file.pe.sections.entropy
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
       default_field: false
-    - name: indicator.file.elf.sections.flags
+    - name: indicator.file.pe.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: Section flags of the file.
+      example: rx
       default_field: false
-    - name: indicator.file.elf.sections.name
+    - name: indicator.file.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: Section names of the file.
+      example: .text, .data
       default_field: false
-    - name: indicator.file.elf.sections.physical_offset
+    - name: indicator.file.pe.sections.raw_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
       default_field: false
-    - name: indicator.file.elf.sections.physical_size
+    - name: indicator.file.pe.sections.virtual_address
       level: extended
       type: long
       format: bytes
-      description: ELF Section List physical size.
+      description: Virtual address available to the file.
+      example: 8192
       default_field: false
-    - name: indicator.file.elf.sections.type
+    - name: indicator.file.size
+      level: extended
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      default_field: false
+    - name: indicator.file.target_path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
       default_field: false
-    - name: indicator.file.elf.sections.virtual_address
+    - name: indicator.file.type
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
       default_field: false
-    - name: indicator.file.elf.sections.virtual_size
+    - name: indicator.file.uid
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
+      type: keyword
+      ignore_above: 1024
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
       default_field: false
-    - name: indicator.file.elf.segments
+    - name: indicator.file.x509.alternative_names
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
       default_field: false
-    - name: indicator.file.elf.segments.sections
+    - name: indicator.file.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: indicator.file.elf.segments.type
+    - name: indicator.file.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: List of country (C) codes
+      example: US
       default_field: false
-    - name: indicator.file.elf.shared_libraries
+    - name: indicator.file.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
       default_field: false
-    - name: indicator.file.elf.telfhash
+    - name: indicator.file.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: List of locality names (L)
+      example: Mountain View
       default_field: false
-    - name: indicator.file.extension
+    - name: indicator.file.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'File extension, excluding the leading dot.
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
       default_field: false
-    - name: indicator.file.fork_name
+    - name: indicator.file.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A fork is additional data associated with a filesystem object.
-
-        On Linux, a resource fork is used to store additional data with a filesystem
-        object. A file always has at least one fork for the data portion, and additional
-        forks may exist.
-
-        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-        data stream for a file is just called $DATA. Zone.Identifier is commonly used
-        by Windows to track contents downloaded from the Internet. An ADS is typically
-        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-        is the value that should populate `fork_name`. `filename.extension` should
-        populate `file.name`, and `extension` should populate `file.extension`. The
-        full path, `file.path`, will include the fork name.'
-      example: Zone.Identifer
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
       default_field: false
-    - name: indicator.file.gid
+    - name: indicator.file.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group ID (GID) of the file.
-      example: '1001'
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.group
+    - name: indicator.file.x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: indicator.file.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: indicator.file.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group name of the file.
-      example: alice
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: indicator.file.inode
+    - name: indicator.file.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Inode representing the file in the filesystem.
-      example: '256383'
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: indicator.file.mime_type
+    - name: indicator.file.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
+      default_field: false
+    - name: indicator.file.x509.public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: indicator.file.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MIME type should identify the format of the file or stream of bytes
-        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
-        official types], where possible. When more than one type is applicable, the
-        most specific type should be used.
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: indicator.file.mode
+    - name: indicator.file.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mode of the file in octal representation.
-      example: '0640'
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: indicator.file.mtime
+    - name: indicator.file.x509.subject.common_name
       level: extended
-      type: date
-      description: Last time the file content was modified.
+      type: keyword
+      ignore_above: 1024
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: indicator.file.name
+    - name: indicator.file.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the file including the extension, without the directory.
-      example: example.png
+      description: List of country (C) code
+      example: US
       default_field: false
-    - name: indicator.file.owner
+    - name: indicator.file.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File owner's username.
-      example: alice
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: indicator.file.path
+    - name: indicator.file.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: indicator.file.size
+    - name: indicator.file.x509.subject.organization
       level: extended
-      type: long
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: indicator.file.target_path
+    - name: indicator.file.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: indicator.file.type
+    - name: indicator.file.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.uid
+    - name: indicator.file.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: Version of x509 format.
+      example: 3
       default_field: false
     - name: indicator.first_seen
       level: extended
@@ -10574,36 +10339,6 @@
       description: The time zone of the location, such as IANA time zone name.
       example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: indicator.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: indicator.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: indicator.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: indicator.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: indicator.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
     - name: indicator.ip
       level: extended
       type: ip
@@ -10633,269 +10368,6 @@
         for this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: indicator.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: indicator.pe.authentihash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-      default_field: false
-    - name: indicator.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: indicator.pe.compile_timestamp
-      level: extended
-      type: date
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: indicator.pe.compiler.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the compiler
-      example: Clang
-      default_field: false
-    - name: indicator.pe.compiler.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the compiler.
-      example: 11.0.0
-      default_field: false
-    - name: indicator.pe.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: indicator.pe.debug
-      level: extended
-      type: nested
-      description: 'An array containing an object for each debug entry, if present.
-
-        The expected fields for this nested object fall under the `debug.` prefix.'
-      default_field: false
-    - name: indicator.pe.debug.offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Debug offset information.
-      example: 1296336
-      default_field: false
-    - name: indicator.pe.debug.size
-      level: extended
-      type: long
-      format: bytes
-      description: Size of the debug information.
-      example: 816
-      default_field: false
-    - name: indicator.pe.debug.timestamp
-      level: extended
-      type: date
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: indicator.pe.debug.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
-      default_field: false
-    - name: indicator.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: indicator.pe.entry_point
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
-      default_field: false
-    - name: indicator.pe.exports
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-      default_field: false
-    - name: indicator.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: indicator.pe.icon.hash.dhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
-      default_field: false
-    - name: indicator.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: indicator.pe.imports
-      level: extended
-      type: flattened
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
-      default_field: false
-    - name: indicator.pe.machine_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
-      default_field: false
-    - name: indicator.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: indicator.pe.packers
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
-      default_field: false
-    - name: indicator.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      default_field: false
-    - name: indicator.pe.resources
-      level: extended
-      type: nested
-      description: 'An array containing an object for each PE resource, if present.
-
-        The expected fields for this nested object fall under the `resources.` prefix.'
-      default_field: false
-    - name: indicator.pe.resources.chi2
-      level: extended
-      type: long
-      description: Chi-square probability distribution.
-      example: -1
-      default_field: false
-    - name: indicator.pe.resources.entropy
-      level: extended
-      type: long
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
-      default_field: false
-    - name: indicator.pe.resources.filetype
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: File type of the resources section.
-      example: Data
-      default_field: false
-    - name: indicator.pe.resources.language
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
-      default_field: false
-    - name: indicator.pe.resources.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-      default_field: false
-    - name: indicator.pe.resources.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
-      default_field: false
-    - name: indicator.pe.rich_header.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-      default_field: false
-    - name: indicator.pe.sections
-      level: extended
-      type: nested
-      description: Data about sections of compiled binary PE
-      default_field: false
-    - name: indicator.pe.sections.chi2
-      level: extended
-      type: long
-      description: Chi-square probability distribution.
-      example: 3027194
-      default_field: false
-    - name: indicator.pe.sections.entropy
-      level: extended
-      type: float
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
-      default_field: false
-    - name: indicator.pe.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Section flags of the file.
-      example: rx
-      default_field: false
-    - name: indicator.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Section names of the file.
-      example: .text, .data
-      default_field: false
-    - name: indicator.pe.sections.raw_size
-      level: extended
-      type: long
-      format: bytes
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      default_field: false
-    - name: indicator.pe.sections.virtual_address
-      level: extended
-      type: long
-      format: bytes
-      description: Virtual address available to the file.
-      example: 8192
-      default_field: false
     - name: indicator.port
       level: extended
       type: long
@@ -11457,6 +10929,7 @@
       protocol itself and intentionally avoids in-depth analysis of the related x.509
       certificate files.
     type: group
+    default_field: true
     fields:
     - name: cipher
       level: extended
@@ -12067,6 +11540,7 @@
     description: URL fields provide support for complete or partial URLs, and supports
       the breaking down into scheme, domain, path, and so on.
     type: group
+    default_field: true
     fields:
     - name: domain
       level: extended
@@ -12214,6 +11688,7 @@
       Fields can have one entry or multiple entries. If a user has more than one id,
       provide an array that includes all of them.'
     type: group
+    default_field: true
     fields:
     - name: changes.domain
       level: extended
@@ -12527,6 +12002,7 @@
 
       They often show up in web service logs coming from the parsed user agent string.'
     type: group
+    default_field: true
     fields:
     - name: device.name
       level: extended
@@ -12635,6 +12111,7 @@
       specific information when observer events contain discrete ingress and egress
       VLAN information, typically provided by firewalls, routers, or load balancers.'
     type: group
+    default_field: true
     fields:
     - name: id
       level: extended
@@ -12656,6 +12133,7 @@
     description: The vulnerability fields describe information about a vulnerability
       that is relevant to an event.
     type: group
+    default_field: true
     fields:
     - name: category
       level: extended
@@ -12794,6 +12272,7 @@
       use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
       `tls.client.x509`.'
     type: group
+    default_field: true
     fields:
     - name: alternative_names
       level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index b72963a423..58bd59000c 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1598 +1,1491 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.0.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.0.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.0.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.0.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.0.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.0.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.0.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.0.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.0.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.0.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.0.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-8.0.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.0.0-dev+exp,true,client,client.domain,keyword,core,,,Client domain.
-8.0.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-8.0.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.0.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.0.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-8.0.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.0.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-8.0.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.0.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.0.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.0.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.0.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.0.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.0.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.0.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.0.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.0.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.0.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.0.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.0.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.0.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.0.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.0.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-8.0.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.0.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.0.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-8.0.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-8.0.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-8.0.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.0.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.0.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.0.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.0.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.0.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.0.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.0.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.0.0-dev+exp,true,destination,destination.domain,keyword,core,,,Destination domain.
-8.0.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.0.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.0.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.0.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.0.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.0.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-8.0.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.0.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.0.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.0.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.0.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.0.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.0.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.0.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.0.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.0.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.0.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.0.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.0.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.0.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.0.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.0.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.0.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.0.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.0.0-dev+exp,true,email,email.attachments,nested,extended,,,List of objects describing the attachments.
-8.0.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-8.0.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-8.0.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-8.0.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-8.0.0-dev+exp,true,email,email.attachments.hash.md5,keyword,extended,,e25f1c98ffdacf611473af364362ec48,MD5 hash of the attachment.
-8.0.0-dev+exp,true,email,email.attachments.hash.sha1,keyword,extended,,8c1cd40f17109b427e61d4e72ca6d9a4fc8175f3,SHA-1 hash of the attachment.
-8.0.0-dev+exp,true,email,email.attachments.hash.sha256,keyword,extended,,f0366b3559f577d8732f7e9cc343a4960d202e8137dcc42f9783f3963f6abc6a,SHA-256 hash of the attachment.
-8.0.0-dev+exp,true,email,email.bcc,keyword,extended,array,"['bcc.user1@example.com', 'bcc.user2@example.com']",Email address(es) of BCC recipients
-8.0.0-dev+exp,true,email,email.cc,keyword,extended,array,"['cc.user1@example.com', 'cc.user2@example.com']",Email address(es) of CC recipients
-8.0.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-8.0.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-8.0.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-8.0.0-dev+exp,true,email,email.from,keyword,extended,,sender@example.com,The sender's email address.
-8.0.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-8.0.0-dev+exp,true,email,email.message_id,keyword,extended,,<81ce15$8r2j59@mail01.example.com>,Value from the Message-ID header.
-8.0.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-8.0.0-dev+exp,true,email,email.reply_to,keyword,extended,,reply.here@example.com,Address replies should be delivered to.
-8.0.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-8.0.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-8.0.0-dev+exp,true,email,email.to,keyword,extended,array,"['user1@example.com', 'user2@example.com']",Email address(es) of the recipients.
-8.0.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-8.0.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-8.0.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.0.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
-8.0.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.0.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.0.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.0.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.0.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.0.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.0.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.0.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.0.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.0.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.0.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.0.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.0.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.0.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.0.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.0.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.0.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.0.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.0.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.0.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.0.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.0.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.0.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.0.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.0.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.0.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.0.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.0.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.0.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.0.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-8.0.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.0.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.0.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.0.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.0.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.0.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.0.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-8.0.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.0.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.0.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.0.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.0.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.0.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.0.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.0.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.0.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.0.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-8.0.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.0.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.0.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-8.0.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.0.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.0.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.0.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.0.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.0.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.0.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-8.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.0.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.0.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.0.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.0.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.0.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.0.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.0.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.0.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.0.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.0.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.0.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.0.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.0.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.0.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.0.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.0.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.0.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.0.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.0.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.0.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.0.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.0.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-8.0.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.0.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.0.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.0.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.0.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.0.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.0.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.0.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.0.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.0.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.0.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.0.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.0.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.0.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.0.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-8.0.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.0.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.0.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.0.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.0.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.0.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.0.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.0.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.0.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.0.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.0.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.0.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.0.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.0.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.0.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.0.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.0.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.0.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.0.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.0.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.0.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.0.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-8.0.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.0.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.0.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.0.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.0.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.0.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.0.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.0.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.0.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.0.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.0.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
-8.0.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.0.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.0.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.0.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.0.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.0.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.0.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-8.0.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.0.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-8.0.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.0.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.0.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.0.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-8.0.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.0.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.0.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.0.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.0.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.0.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.0.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-8.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-8.0.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-8.0.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.0.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.0.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.0.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.0.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-8.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-8.0.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-8.0.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.0.0-dev+exp,true,process,process.target.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.0.0-dev+exp,true,process,process.target.args_count,long,extended,,4,Length of the process.args array.
-8.0.0-dev+exp,true,process,process.target.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,process,process.target.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,process,process.target.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.target.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,process,process.target.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,process,process.target.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.target.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,process,process.target.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,process,process.target.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,process,process.target.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.target.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.target.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev+exp,true,process,process.target.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev+exp,true,process,process.target.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev+exp,true,process,process.target.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev+exp,true,process,process.target.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev+exp,true,process,process.target.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev+exp,true,process,process.target.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev+exp,true,process,process.target.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev+exp,true,process,process.target.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev+exp,true,process,process.target.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev+exp,true,process,process.target.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev+exp,true,process,process.target.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev+exp,true,process,process.target.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev+exp,true,process,process.target.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev+exp,true,process,process.target.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev+exp,true,process,process.target.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev+exp,true,process,process.target.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev+exp,true,process,process.target.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev+exp,true,process,process.target.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev+exp,true,process,process.target.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev+exp,true,process,process.target.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev+exp,true,process,process.target.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev+exp,true,process,process.target.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev+exp,true,process,process.target.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev+exp,true,process,process.target.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev+exp,true,process,process.target.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev+exp,true,process,process.target.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev+exp,true,process,process.target.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev+exp,true,process,process.target.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev+exp,true,process,process.target.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.0.0-dev+exp,true,process,process.target.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.0.0-dev+exp,true,process,process.target.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.target.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.target.exit_code,long,extended,,137,The exit code of the process.
-8.0.0-dev+exp,true,process,process.target.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,process,process.target.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,process,process.target.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,process,process.target.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,process,process.target.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,process,process.target.name,keyword,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.target.name.text,match_only_text,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.target.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.0.0-dev+exp,true,process,process.target.parent.args_count,long,extended,,4,Length of the process.args array.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,process,process.target.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,process,process.target.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.target.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev+exp,true,process,process.target.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev+exp,true,process,process.target.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev+exp,true,process,process.target.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev+exp,true,process,process.target.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev+exp,true,process,process.target.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev+exp,true,process,process.target.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev+exp,true,process,process.target.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev+exp,true,process,process.target.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev+exp,true,process,process.target.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev+exp,true,process,process.target.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.0.0-dev+exp,true,process,process.target.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.0.0-dev+exp,true,process,process.target.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.target.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev+exp,true,process,process.target.parent.exit_code,long,extended,,137,The exit code of the process.
-8.0.0-dev+exp,true,process,process.target.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,process,process.target.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,process,process.target.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,process,process.target.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,process,process.target.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,process,process.target.parent.name,keyword,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.target.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.0.0-dev+exp,true,process,process.target.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,process,process.target.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,process,process.target.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,process,process.target.parent.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,process,process.target.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,process,process.target.parent.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,process,process.target.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,process,process.target.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,process,process.target.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,process,process.target.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,process,process.target.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,process,process.target.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,process,process.target.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,process,process.target.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.parent.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,process,process.target.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.target.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,process,process.target.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,process,process.target.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,process,process.target.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,process,process.target.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,process,process.target.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,process,process.target.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.target.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,process,process.target.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,process,process.target.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,process,process.target.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-8.0.0-dev+exp,true,process,process.target.parent.pid,long,core,,4242,Process id.
-8.0.0-dev+exp,true,process,process.target.parent.ppid,long,extended,,4241,Parent process' pid.
-8.0.0-dev+exp,true,process,process.target.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.0.0-dev+exp,true,process,process.target.parent.thread.id,long,extended,,4242,Thread ID.
-8.0.0-dev+exp,true,process,process.target.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.0.0-dev+exp,true,process,process.target.parent.title,keyword,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.target.parent.title.text,match_only_text,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.target.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.0.0-dev+exp,true,process,process.target.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,process,process.target.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,process,process.target.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,process,process.target.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,process,process.target.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,process,process.target.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,process,process.target.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,process,process.target.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,process,process.target.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,process,process.target.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,process,process.target.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,process,process.target.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,process,process.target.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,process,process.target.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,process,process.target.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,process,process.target.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,process,process.target.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,process,process.target.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,process,process.target.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,process,process.target.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,process,process.target.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,process,process.target.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,process,process.target.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,process,process.target.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.target.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,process,process.target.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,process,process.target.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,process,process.target.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,process,process.target.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,process,process.target.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,process,process.target.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,process,process.target.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,process,process.target.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,process,process.target.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,process,process.target.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,process,process.target.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,process,process.target.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,process,process.target.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-8.0.0-dev+exp,true,process,process.target.pid,long,core,,4242,Process id.
-8.0.0-dev+exp,true,process,process.target.ppid,long,extended,,4241,Parent process' pid.
-8.0.0-dev+exp,true,process,process.target.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.0.0-dev+exp,true,process,process.target.thread.id,long,extended,,4242,Thread ID.
-8.0.0-dev+exp,true,process,process.target.thread.name,keyword,extended,,thread-0,Thread name.
-8.0.0-dev+exp,true,process,process.target.title,keyword,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.target.title.text,match_only_text,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.target.uptime,long,extended,,1325,Seconds the process has been up.
-8.0.0-dev+exp,true,process,process.target.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,process,process.target.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.0.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.0.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.0.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.0.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.0.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.0.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.0.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.0.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.0.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.0.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.0.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.0.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.0.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.0.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.0.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.0.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.0.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.0.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.0.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.0.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.0.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.0.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.0.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.0.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.0.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.0.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-8.0.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.0.0-dev+exp,true,server,server.domain,keyword,core,,,Server domain.
-8.0.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-8.0.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.0.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.0.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-8.0.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.0.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-8.0.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.0.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.0.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.0.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.0.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.0.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.0.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.0.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-8.0.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.0.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.0.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-8.0.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.0.0-dev+exp,true,source,source.domain,keyword,core,,,Source domain.
-8.0.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-8.0.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.0.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.0.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-8.0.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.0.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-8.0.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.0.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.0.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.0.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.0.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.0.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.0.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.0.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.0.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.0.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.0.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.0.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.0.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.0.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.0.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.0.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.0.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.0.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.0.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.0.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-8.0.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information
-8.0.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-8.0.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-8.0.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information
-8.0.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-8.0.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-8.0.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-8.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.0.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.0.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.0.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.0.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.0.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.0.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.0.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.0.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.0.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.0.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.0.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.0.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.0.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.0.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.0.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.0.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.0.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.0.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.0.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.0.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.0.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.0.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.0.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.0.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.0.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.0.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.0.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.0.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.0.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.0.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.0.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.0.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.0.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.0.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.0.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.0.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.0.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.0.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.0.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.0.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.0.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.0.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.0.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.0.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.0.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.0.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.0.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.0.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.0.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.0.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.0.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.0.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.0.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.0.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.0.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.0.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.0.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.0.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.0.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.0.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.0.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-8.0.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.0.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.0.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-8.0.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.0.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.0.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-8.0.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
-8.0.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.0.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.0.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.0.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.0.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.0.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.0.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.0.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.0.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.0.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.0.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.0.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.0.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.0.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.0.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.0.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.0.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.0.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.0.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.0.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.1.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.1.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.1.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.1.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.1.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.1.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.1.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.1.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.1.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.1.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.1.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed.
+8.1.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time.
+8.1.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count."
+8.1.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup.
+8.1.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap.
+8.1.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes
+8.1.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics
+8.1.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+8.1.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.1.0-dev+exp,true,client,client.domain,keyword,core,,,Client domain.
+8.1.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+8.1.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.1.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.1.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+8.1.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.1.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+8.1.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.1.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.1.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.1.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.1.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.1.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.1.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.1.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.1.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.1.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.1.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.1.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.1.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.1.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.1.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.1.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.1.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.1.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.1.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.1.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.1.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.1.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.1.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.1.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.1.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.1.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.1.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.1.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.1.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.1.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+8.1.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.1.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.1.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+8.1.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+8.1.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+8.1.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.1.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.1.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.1.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.1.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.1.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.1.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.1.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.1.0-dev+exp,true,destination,destination.domain,keyword,core,,,Destination domain.
+8.1.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.1.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.1.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.1.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.1.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.1.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+8.1.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.1.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.1.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.1.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+8.1.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+8.1.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+8.1.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+8.1.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+8.1.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information
+8.1.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+8.1.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information.
+8.1.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+8.1.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+8.1.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+8.1.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+8.1.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+8.1.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+8.1.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+8.1.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+8.1.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information
+8.1.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+8.1.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+8.1.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+8.1.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+8.1.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+8.1.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+8.1.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+8.1.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+8.1.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+8.1.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+8.1.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+8.1.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+8.1.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+8.1.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+8.1.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.1.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.1.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.1.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.1.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.1.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.1.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.1.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.1.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.1.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.1.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.1.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.1.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.1.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.1.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.1.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.1.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.1.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.1.0-dev+exp,true,email,email.attachments,nested,extended,,,List of objects describing the attachments.
+8.1.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+8.1.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+8.1.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+8.1.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+8.1.0-dev+exp,true,email,email.attachments.hash.md5,keyword,extended,,e25f1c98ffdacf611473af364362ec48,MD5 hash of the attachment.
+8.1.0-dev+exp,true,email,email.attachments.hash.sha1,keyword,extended,,8c1cd40f17109b427e61d4e72ca6d9a4fc8175f3,SHA-1 hash of the attachment.
+8.1.0-dev+exp,true,email,email.attachments.hash.sha256,keyword,extended,,f0366b3559f577d8732f7e9cc343a4960d202e8137dcc42f9783f3963f6abc6a,SHA-256 hash of the attachment.
+8.1.0-dev+exp,true,email,email.bcc,keyword,extended,array,"['bcc.user1@example.com', 'bcc.user2@example.com']",Email address(es) of BCC recipients
+8.1.0-dev+exp,true,email,email.cc,keyword,extended,array,"['cc.user1@example.com', 'cc.user2@example.com']",Email address(es) of CC recipients
+8.1.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+8.1.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+8.1.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+8.1.0-dev+exp,true,email,email.from,keyword,extended,,sender@example.com,The sender's email address.
+8.1.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+8.1.0-dev+exp,true,email,email.message_id,keyword,extended,,<81ce15$8r2j59@mail01.example.com>,Value from the Message-ID header.
+8.1.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+8.1.0-dev+exp,true,email,email.reply_to,keyword,extended,,reply.here@example.com,Address replies should be delivered to.
+8.1.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+8.1.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+8.1.0-dev+exp,true,email,email.to,keyword,extended,array,"['user1@example.com', 'user2@example.com']",Email address(es) of the recipients.
+8.1.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+8.1.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+8.1.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.1.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
+8.1.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.1.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.1.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.1.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.1.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.1.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.1.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.1.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.1.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.1.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.1.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.1.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.1.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.1.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.1.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.1.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.1.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.1.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.1.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.1.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.1.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.1.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.1.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.1.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.1.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.1.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.1.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.1.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.1.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.1.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.1.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.1.0-dev+exp,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.1.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.1.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.1.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.1.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.1.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+8.1.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.1.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.1.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.1.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.1.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.1.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.1.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.1.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.1.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.1.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.1.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.1.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.1.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.1.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.1.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+8.1.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+8.1.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+8.1.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+8.1.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+8.1.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information
+8.1.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+8.1.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information.
+8.1.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+8.1.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+8.1.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+8.1.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+8.1.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+8.1.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+8.1.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+8.1.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+8.1.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information
+8.1.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+8.1.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+8.1.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+8.1.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+8.1.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+8.1.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+8.1.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+8.1.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+8.1.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+8.1.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+8.1.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+8.1.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+8.1.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+8.1.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+8.1.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+8.1.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.1.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.1.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.1.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.1.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.1.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.1.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.1.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.1.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.1.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+8.1.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.1.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.1.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+8.1.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.1.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.1.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.1.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.1.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.1.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.1.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.1.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.1.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.1.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+8.1.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.1.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.1.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.1.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.1.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.1.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.1.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.1.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.1.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.1.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.1.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.1.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.1.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.1.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.1.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.1.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.1.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.1.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.1.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.1.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.1.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.1.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.1.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.1.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.1.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.1.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.1.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.1.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.1.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.1.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.1.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.1.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.1.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.1.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.1.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.1.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.1.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.1.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.1.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.1.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.1.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.1.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.1.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.1.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.1.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.1.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.1.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.1.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.1.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.1.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.1.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.1.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.1.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.1.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.1.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.1.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.1.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.1.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.1.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.1.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.1.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.1.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.1.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.1.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+8.1.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.1.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.1.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.1.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.1.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.1.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.1.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.1.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.1.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.1.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.1.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name.
+8.1.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.1.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.1.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.1.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.1.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.1.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.1.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+8.1.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.1.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+8.1.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.1.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.1.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.1.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+8.1.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.1.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.1.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.1.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.1.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.1.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.1.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
+8.1.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.1.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.1.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.1.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.1.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.1.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.1.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.1.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.1.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+8.1.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+8.1.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+8.1.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+8.1.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+8.1.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information
+8.1.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+8.1.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information.
+8.1.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+8.1.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+8.1.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+8.1.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+8.1.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+8.1.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+8.1.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+8.1.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+8.1.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information
+8.1.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+8.1.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+8.1.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+8.1.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+8.1.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+8.1.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+8.1.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+8.1.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+8.1.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+8.1.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+8.1.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+8.1.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+8.1.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+8.1.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+8.1.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+8.1.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+8.1.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.1.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.1.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.1.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
+8.1.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.1.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.1.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.1.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.1.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+8.1.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+8.1.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+8.1.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+8.1.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+8.1.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information
+8.1.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+8.1.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information.
+8.1.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+8.1.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+8.1.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+8.1.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+8.1.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+8.1.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+8.1.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+8.1.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+8.1.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information
+8.1.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+8.1.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+8.1.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+8.1.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+8.1.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+8.1.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+8.1.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+8.1.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+8.1.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+8.1.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+8.1.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+8.1.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+8.1.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+8.1.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+8.1.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+8.1.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+8.1.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.1.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.1.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.1.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
+8.1.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.1.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.1.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.1.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.1.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.1.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.1.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.1.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.1.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.1.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.1.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.1.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.1.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.1.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.1.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.1.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.1.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.1.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.1.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.1.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.1.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.1.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.1.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.1.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.1.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.1.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+8.1.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.1.0-dev+exp,true,server,server.domain,keyword,core,,,Server domain.
+8.1.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+8.1.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.1.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.1.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+8.1.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.1.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+8.1.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.1.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.1.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.1.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.1.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.1.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.1.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.1.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.1.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.1.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.1.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.1.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.1.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.1.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.1.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.1.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.1.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+8.1.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.1.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.1.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.1.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.1.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.1.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.1.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.1.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.1.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.1.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.1.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.1.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+8.1.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.1.0-dev+exp,true,source,source.domain,keyword,core,,,Source domain.
+8.1.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+8.1.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.1.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.1.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+8.1.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.1.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+8.1.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.1.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.1.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug,nested,extended,array,,Debug information
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.size,long,extended,,816,Size of the debug information.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources,nested,extended,array,,PE resource information
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.1.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.1.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.1.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.1.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05 17:00:58.326000+00:00,Date of match
+8.1.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.1.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.1.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.1.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.1.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.1.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.1.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.1.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.1.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.1.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.1.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.1.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.1.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.1.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.1.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.1.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.1.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.1.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.1.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.1.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.1.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.1.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug,nested,extended,array,,Debug information
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.size,long,extended,,816,Size of the debug information.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources,nested,extended,array,,PE resource information
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+8.1.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.1.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.1.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.1.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.1.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.1.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.1.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.1.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.1.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.1.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.1.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.1.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.1.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.1.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.1.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.1.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.1.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.1.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.1.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.1.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.1.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.1.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.1.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.1.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.1.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.1.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.1.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.1.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.1.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.1.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.1.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.1.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.1.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.1.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.1.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.1.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.1.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.1.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.1.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.1.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.1.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.1.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.1.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.1.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.1.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.1.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.1.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.1.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.1.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.1.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.1.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.1.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.1.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.1.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.1.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.1.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.1.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.1.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.1.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.1.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.1.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.1.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.1.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.1.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.1.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.1.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.1.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.1.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.1.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.1.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.1.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.1.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.1.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.1.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.1.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.1.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.1.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.1.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.1.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.1.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.1.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.1.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+8.1.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.1.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.1.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+8.1.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.1.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.1.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+8.1.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,user,user.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address.
+8.1.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.1.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.1.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.1.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.1.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.1.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.1.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.1.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.1.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.1.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.1.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.1.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.1.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.1.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.1.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.1.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.1.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.1.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.1.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.1.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.1.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.1.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.1.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.1.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 32d30fd1bd..2d47b0c1a7 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -101,6 +101,75 @@ agent.version:
   normalize: []
   short: Version of the agent.
   type: keyword
+cgroup.cpu.periods:
+  dashed_name: cgroup-cpu-periods
+  description: Number of period intervals that have elapsed.
+  example: 454839343
+  flat_name: cgroup.cpu.periods
+  level: extended
+  name: cpu.periods
+  normalize: []
+  short: Number of period intervals that have elapsed.
+  type: long
+cgroup.cpu.throttled.us:
+  dashed_name: cgroup-cpu-throttled-us
+  description: Microseconds of CPU throttled time.
+  example: 15000
+  flat_name: cgroup.cpu.throttled.us
+  level: extended
+  name: cpu.throttled.us
+  normalize: []
+  short: Microseconds of CPU throttled time.
+  type: long
+cgroup.cpu.usage:
+  dashed_name: cgroup-cpu-usage
+  description: CPU usage, normalized by the CPU count.
+  flat_name: cgroup.cpu.usage
+  level: extended
+  name: cpu.usage
+  normalize: []
+  scaling_factor: 1000
+  short: CPU usage, normalized by the CPU count.
+  type: scaled_float
+cgroup.memory.limit:
+  dashed_name: cgroup-memory-limit
+  description: Memory limit within the cgroup.
+  example: 256
+  flat_name: cgroup.memory.limit
+  level: extended
+  name: memory.limit
+  normalize: []
+  short: Memory limit within the cgroup.
+  type: long
+cgroup.memory.swap.usage:
+  dashed_name: cgroup-memory-swap-usage
+  description: The amount of cgroup memory in swap.
+  example: 5600
+  flat_name: cgroup.memory.swap.usage
+  level: extended
+  name: memory.swap.usage
+  normalize: []
+  short: The amount of cgroup memory in swap.
+  type: long
+cgroup.memory.usage:
+  dashed_name: cgroup-memory-usage
+  description: Memory usage in bytes
+  example: 25600
+  flat_name: cgroup.memory.usage
+  level: extended
+  name: memory.usage
+  normalize: []
+  short: Memory usage in bytes
+  type: long
+cgroup.version:
+  dashed_name: cgroup-version
+  description: The cgroup version linked to the metrics
+  flat_name: cgroup.version
+  level: extended
+  name: version
+  normalize: []
+  short: The cgroup version linked to the metrics
+  type: long
 client.address:
   dashed_name: client-address
   description: 'Some event client addresses are defined ambiguously. The event will
@@ -628,6 +697,152 @@ cloud.machine.type:
   normalize: []
   short: Machine type of the host machine.
   type: keyword
+cloud.origin.account.id:
+  dashed_name: cloud-origin-account-id
+  description: 'The cloud account or organization id used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+  example: 666777888999
+  flat_name: cloud.origin.account.id
+  ignore_above: 1024
+  level: extended
+  name: account.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account or organization id.
+  type: keyword
+cloud.origin.account.name:
+  dashed_name: cloud-origin-account-name
+  description: 'The cloud account name or alias used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account name, Google Cloud ORG display name.'
+  example: elastic-dev
+  flat_name: cloud.origin.account.name
+  ignore_above: 1024
+  level: extended
+  name: account.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account name.
+  type: keyword
+cloud.origin.availability_zone:
+  dashed_name: cloud-origin-availability-zone
+  description: Availability zone in which this host, resource, or service is located.
+  example: us-east-1c
+  flat_name: cloud.origin.availability_zone
+  ignore_above: 1024
+  level: extended
+  name: availability_zone
+  normalize: []
+  original_fieldset: cloud
+  short: Availability zone in which this host, resource, or service is located.
+  type: keyword
+cloud.origin.instance.id:
+  dashed_name: cloud-origin-instance-id
+  description: Instance ID of the host machine.
+  example: i-1234567890abcdef0
+  flat_name: cloud.origin.instance.id
+  ignore_above: 1024
+  level: extended
+  name: instance.id
+  normalize: []
+  original_fieldset: cloud
+  short: Instance ID of the host machine.
+  type: keyword
+cloud.origin.instance.name:
+  dashed_name: cloud-origin-instance-name
+  description: Instance name of the host machine.
+  flat_name: cloud.origin.instance.name
+  ignore_above: 1024
+  level: extended
+  name: instance.name
+  normalize: []
+  original_fieldset: cloud
+  short: Instance name of the host machine.
+  type: keyword
+cloud.origin.machine.type:
+  dashed_name: cloud-origin-machine-type
+  description: Machine type of the host machine.
+  example: t2.medium
+  flat_name: cloud.origin.machine.type
+  ignore_above: 1024
+  level: extended
+  name: machine.type
+  normalize: []
+  original_fieldset: cloud
+  short: Machine type of the host machine.
+  type: keyword
+cloud.origin.project.id:
+  dashed_name: cloud-origin-project-id
+  description: 'The cloud project identifier.
+
+    Examples: Google Cloud Project id, Azure Project id.'
+  example: my-project
+  flat_name: cloud.origin.project.id
+  ignore_above: 1024
+  level: extended
+  name: project.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project id.
+  type: keyword
+cloud.origin.project.name:
+  dashed_name: cloud-origin-project-name
+  description: 'The cloud project name.
+
+    Examples: Google Cloud Project name, Azure Project name.'
+  example: my project
+  flat_name: cloud.origin.project.name
+  ignore_above: 1024
+  level: extended
+  name: project.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project name.
+  type: keyword
+cloud.origin.provider:
+  dashed_name: cloud-origin-provider
+  description: Name of the cloud provider. Example values are aws, azure, gcp, or
+    digitalocean.
+  example: aws
+  flat_name: cloud.origin.provider
+  ignore_above: 1024
+  level: extended
+  name: provider
+  normalize: []
+  original_fieldset: cloud
+  short: Name of the cloud provider.
+  type: keyword
+cloud.origin.region:
+  dashed_name: cloud-origin-region
+  description: Region in which this host, resource, or service is located.
+  example: us-east-1
+  flat_name: cloud.origin.region
+  ignore_above: 1024
+  level: extended
+  name: region
+  normalize: []
+  original_fieldset: cloud
+  short: Region in which this host, resource, or service is located.
+  type: keyword
+cloud.origin.service.name:
+  dashed_name: cloud-origin-service-name
+  description: 'The cloud service name is intended to distinguish services running
+    on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App
+    Engine, Azure VM vs App Server.
+
+    Examples: app engine, app service, cloud run, fargate, lambda.'
+  example: lambda
+  flat_name: cloud.origin.service.name
+  ignore_above: 1024
+  level: extended
+  name: service.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud service name.
+  type: keyword
 cloud.project.id:
   dashed_name: cloud-project-id
   description: 'The cloud project identifier.
@@ -692,6 +907,152 @@ cloud.service.name:
   normalize: []
   short: The cloud service name.
   type: keyword
+cloud.target.account.id:
+  dashed_name: cloud-target-account-id
+  description: 'The cloud account or organization id used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+  example: 666777888999
+  flat_name: cloud.target.account.id
+  ignore_above: 1024
+  level: extended
+  name: account.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account or organization id.
+  type: keyword
+cloud.target.account.name:
+  dashed_name: cloud-target-account-name
+  description: 'The cloud account name or alias used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account name, Google Cloud ORG display name.'
+  example: elastic-dev
+  flat_name: cloud.target.account.name
+  ignore_above: 1024
+  level: extended
+  name: account.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account name.
+  type: keyword
+cloud.target.availability_zone:
+  dashed_name: cloud-target-availability-zone
+  description: Availability zone in which this host, resource, or service is located.
+  example: us-east-1c
+  flat_name: cloud.target.availability_zone
+  ignore_above: 1024
+  level: extended
+  name: availability_zone
+  normalize: []
+  original_fieldset: cloud
+  short: Availability zone in which this host, resource, or service is located.
+  type: keyword
+cloud.target.instance.id:
+  dashed_name: cloud-target-instance-id
+  description: Instance ID of the host machine.
+  example: i-1234567890abcdef0
+  flat_name: cloud.target.instance.id
+  ignore_above: 1024
+  level: extended
+  name: instance.id
+  normalize: []
+  original_fieldset: cloud
+  short: Instance ID of the host machine.
+  type: keyword
+cloud.target.instance.name:
+  dashed_name: cloud-target-instance-name
+  description: Instance name of the host machine.
+  flat_name: cloud.target.instance.name
+  ignore_above: 1024
+  level: extended
+  name: instance.name
+  normalize: []
+  original_fieldset: cloud
+  short: Instance name of the host machine.
+  type: keyword
+cloud.target.machine.type:
+  dashed_name: cloud-target-machine-type
+  description: Machine type of the host machine.
+  example: t2.medium
+  flat_name: cloud.target.machine.type
+  ignore_above: 1024
+  level: extended
+  name: machine.type
+  normalize: []
+  original_fieldset: cloud
+  short: Machine type of the host machine.
+  type: keyword
+cloud.target.project.id:
+  dashed_name: cloud-target-project-id
+  description: 'The cloud project identifier.
+
+    Examples: Google Cloud Project id, Azure Project id.'
+  example: my-project
+  flat_name: cloud.target.project.id
+  ignore_above: 1024
+  level: extended
+  name: project.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project id.
+  type: keyword
+cloud.target.project.name:
+  dashed_name: cloud-target-project-name
+  description: 'The cloud project name.
+
+    Examples: Google Cloud Project name, Azure Project name.'
+  example: my project
+  flat_name: cloud.target.project.name
+  ignore_above: 1024
+  level: extended
+  name: project.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project name.
+  type: keyword
+cloud.target.provider:
+  dashed_name: cloud-target-provider
+  description: Name of the cloud provider. Example values are aws, azure, gcp, or
+    digitalocean.
+  example: aws
+  flat_name: cloud.target.provider
+  ignore_above: 1024
+  level: extended
+  name: provider
+  normalize: []
+  original_fieldset: cloud
+  short: Name of the cloud provider.
+  type: keyword
+cloud.target.region:
+  dashed_name: cloud-target-region
+  description: Region in which this host, resource, or service is located.
+  example: us-east-1
+  flat_name: cloud.target.region
+  ignore_above: 1024
+  level: extended
+  name: region
+  normalize: []
+  original_fieldset: cloud
+  short: Region in which this host, resource, or service is located.
+  type: keyword
+cloud.target.service.name:
+  dashed_name: cloud-target-service-name
+  description: 'The cloud service name is intended to distinguish services running
+    on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App
+    Engine, Azure VM vs App Server.
+
+    Examples: app engine, app service, cloud run, fargate, lambda.'
+  example: lambda
+  flat_name: cloud.target.service.name
+  ignore_above: 1024
+  level: extended
+  name: service.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud service name.
+  type: keyword
 container.cpu.usage:
   dashed_name: container-cpu-usage
   description: 'Percent CPU used which is normalized by the number of CPU cores and
@@ -3347,6 +3708,58 @@ event.url:
   normalize: []
   short: Event investigation URL
   type: keyword
+faas.coldstart:
+  dashed_name: faas-coldstart
+  description: Boolean value indicating a cold start of a function.
+  flat_name: faas.coldstart
+  level: extended
+  name: coldstart
+  normalize: []
+  short: Boolean value indicating a cold start of a function.
+  type: boolean
+faas.execution:
+  dashed_name: faas-execution
+  description: The execution ID of the current function execution.
+  example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+  flat_name: faas.execution
+  ignore_above: 1024
+  level: extended
+  name: execution
+  normalize: []
+  short: The execution ID of the current function execution.
+  type: keyword
+faas.trigger:
+  dashed_name: faas-trigger
+  description: Details about the function trigger.
+  flat_name: faas.trigger
+  level: extended
+  name: trigger
+  normalize: []
+  short: Details about the function trigger.
+  type: nested
+faas.trigger.request_id:
+  dashed_name: faas-trigger-request-id
+  description: The ID of the trigger request , message, event, etc.
+  example: 123456789
+  flat_name: faas.trigger.request_id
+  ignore_above: 1024
+  level: extended
+  name: trigger.request_id
+  normalize: []
+  short: The ID of the trigger request , message, event, etc.
+  type: keyword
+faas.trigger.type:
+  dashed_name: faas-trigger-type
+  description: "The trigger for the function execution.\nExpected values are:\n  *\
+    \ http\n  * pubsub\n  * datasource\n  * timer\n  * other"
+  example: http
+  flat_name: faas.trigger.type
+  ignore_above: 1024
+  level: extended
+  name: trigger.type
+  normalize: []
+  short: The trigger for the function execution.
+  type: keyword
 file.accessed:
   dashed_name: file-accessed
   description: 'Last time the file was accessed.
@@ -5714,13 +6127,14 @@ message:
   type: match_only_text
 network.application:
   dashed_name: network-application
-  description: 'A name given to an application level protocol. This can be arbitrarily
-    assigned for things like microservices, but also apply to things like skype, icq,
-    facebook, twitter. This would be used in situations where the vendor or service
-    can be decoded such as from the source/dest IP owners, ports, or wire format.
+  description: 'When a specific application or service is identified from network
+    connection details (source/dest IPs, ports, certificates, or wire format), this
+    field captures the application''s or service''s name.
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    For example, the original event identifies the network connection being from a
+    specific web service in a `https` network connection, like `facebook` or `twitter`.
+
+    The field value must be normalized to lowercase for querying.'
   example: aim
   flat_name: network.application
   ignore_above: 1024
@@ -5863,25 +6277,24 @@ network.packets:
   type: long
 network.protocol:
   dashed_name: network-protocol
-  description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+  description: 'In the OSI Model this would be the Application Layer protocol. For
+    example, `http`, `dns`, or `ssh`.
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    The field value must be normalized to lowercase for querying.'
   example: http
   flat_name: network.protocol
   ignore_above: 1024
   level: core
   name: protocol
   normalize: []
-  short: L7 Network protocol name.
+  short: Application protocol name.
   type: keyword
 network.transport:
   dashed_name: network-transport
   description: 'Same as network.iana_number, but instead using the Keyword name of
     the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    The field value must be normalized to lowercase for querying.'
   example: tcp
   flat_name: network.transport
   ignore_above: 1024
@@ -5895,8 +6308,7 @@ network.type:
   description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec,
     pim, etc
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    The field value must be normalized to lowercase for querying.'
   example: ipv4
   flat_name: network.type
   ignore_above: 1024
@@ -8463,18 +8875,6 @@ process.parent.pid:
   original_fieldset: process
   short: Process id.
   type: long
-process.parent.ppid:
-  dashed_name: process-parent-ppid
-  description: Parent process' pid.
-  example: 4241
-  flat_name: process.parent.ppid
-  format: string
-  level: extended
-  name: ppid
-  normalize: []
-  original_fieldset: process
-  short: Parent process' pid.
-  type: long
 process.parent.start:
   dashed_name: process-parent-start
   description: The time the process started.
@@ -9035,17 +9435,6 @@ process.pid:
   normalize: []
   short: Process id.
   type: long
-process.ppid:
-  dashed_name: process-ppid
-  description: Parent process' pid.
-  example: 4241
-  flat_name: process.ppid
-  format: string
-  level: extended
-  name: ppid
-  normalize: []
-  short: Parent process' pid.
-  type: long
 process.start:
   dashed_name: process-start
   description: The time the process started.
@@ -9056,4614 +9445,3011 @@ process.start:
   normalize: []
   short: The time the process started.
   type: date
-process.target.args:
-  dashed_name: process-target-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.target.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.target.args_count:
-  dashed_name: process-target-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.target.args_count
+process.thread.id:
+  dashed_name: process-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.thread.id
+  format: string
   level: extended
-  name: args_count
+  name: thread.id
   normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
+  short: Thread ID.
   type: long
-process.target.code_signature.digest_algorithm:
-  dashed_name: process-target-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.target.code_signature.digest_algorithm
+process.thread.name:
+  dashed_name: process-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.thread.name
   ignore_above: 1024
   level: extended
-  name: digest_algorithm
+  name: thread.name
   normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
+  short: Thread name.
   type: keyword
-process.target.code_signature.exists:
-  dashed_name: process-target-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.target.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.target.code_signature.signing_id:
-  dashed_name: process-target-code-signature-signing-id
-  description: 'The identifier used to sign the process.
+process.title:
+  dashed_name: process-title
+  description: 'Process title.
 
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.target.code_signature.signing_id
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.title
   ignore_above: 1024
   level: extended
-  name: signing_id
+  multi_fields:
+  - flat_name: process.title.text
+    name: text
+    type: match_only_text
+  name: title
   normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
+  short: Process title.
   type: keyword
-process.target.code_signature.status:
-  dashed_name: process-target-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.target.code_signature.status
-  ignore_above: 1024
+process.uptime:
+  dashed_name: process-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.uptime
   level: extended
-  name: status
+  name: uptime
   normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.target.code_signature.subject_name:
-  dashed_name: process-target-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.target.code_signature.subject_name
+  short: Seconds the process has been up.
+  type: long
+process.working_directory:
+  dashed_name: process-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.working_directory
   ignore_above: 1024
-  level: core
-  name: subject_name
+  level: extended
+  multi_fields:
+  - flat_name: process.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
   normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
+  short: The working directory of the process.
   type: keyword
-process.target.code_signature.team_id:
-  dashed_name: process-target-code-signature-team-id
-  description: 'The team identifier used to sign the process.
+registry.data.bytes:
+  dashed_name: registry-data-bytes
+  description: 'Original bytes written with base64 encoding.
 
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.target.code_signature.team_id
+    For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+    corresponds to the data pointed by `lp_data`. This is optional but provides better
+    recoverability and should be populated for REG_BINARY encoded values.'
+  example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+  flat_name: registry.data.bytes
   ignore_above: 1024
   level: extended
-  name: team_id
+  name: data.bytes
   normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
+  short: Original bytes written with base64 encoding.
   type: keyword
-process.target.code_signature.timestamp:
-  dashed_name: process-target-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.target.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.target.code_signature.trusted:
-  dashed_name: process-target-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.target.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.target.code_signature.valid:
-  dashed_name: process-target-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.target.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.target.command_line:
-  dashed_name: process-target-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
+registry.data.strings:
+  dashed_name: registry-data-strings
+  description: 'Content when writing string types.
 
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.target.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.target.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
+    Populated as an array when writing string data to the registry. For single string
+    registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string.
+    For sequences of string with REG_MULTI_SZ, this array will be variable length.
+    For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with
+    the decimal representation (e.g `"1"`).'
+  example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+  flat_name: registry.data.strings
+  level: core
+  name: data.strings
+  normalize:
+  - array
+  short: List of strings representing what was written to the registry.
   type: wildcard
-process.target.elf.architecture:
-  dashed_name: process-target-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.target.elf.architecture
+registry.data.type:
+  dashed_name: registry-data-type
+  description: Standard registry type for encoding contents
+  example: REG_SZ
+  flat_name: registry.data.type
   ignore_above: 1024
-  level: extended
-  name: architecture
+  level: core
+  name: data.type
   normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
+  short: Standard registry type for encoding contents
   type: keyword
-process.target.elf.byte_order:
-  dashed_name: process-target-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.target.elf.byte_order
+registry.hive:
+  dashed_name: registry-hive
+  description: Abbreviated name for the hive.
+  example: HKLM
+  flat_name: registry.hive
   ignore_above: 1024
-  level: extended
-  name: byte_order
+  level: core
+  name: hive
   normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
+  short: Abbreviated name for the hive.
   type: keyword
-process.target.elf.cpu_type:
-  dashed_name: process-target-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.target.elf.cpu_type
+registry.key:
+  dashed_name: registry-key
+  description: Hive-relative path of keys.
+  example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+  flat_name: registry.key
   ignore_above: 1024
-  level: extended
-  name: cpu_type
+  level: core
+  name: key
   normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
+  short: Hive-relative path of keys.
   type: keyword
-process.target.elf.creation_date:
-  dashed_name: process-target-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.target.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.target.elf.exports:
-  dashed_name: process-target-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.target.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.target.elf.header.abi_version:
-  dashed_name: process-target-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.target.elf.header.abi_version
+registry.path:
+  dashed_name: registry-path
+  description: Full path, including hive, key and value
+  example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+    Options\winword.exe\Debugger
+  flat_name: registry.path
   ignore_above: 1024
-  level: extended
-  name: header.abi_version
+  level: core
+  name: path
   normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
+  short: Full path, including hive, key and value
   type: keyword
-process.target.elf.header.class:
-  dashed_name: process-target-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.target.elf.header.class
+registry.value:
+  dashed_name: registry-value
+  description: Name of the value written.
+  example: Debugger
+  flat_name: registry.value
   ignore_above: 1024
-  level: extended
-  name: header.class
+  level: core
+  name: value
   normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
+  short: Name of the value written.
   type: keyword
-process.target.elf.header.data:
-  dashed_name: process-target-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.target.elf.header.data
+related.hash:
+  dashed_name: related-hash
+  description: All the hashes seen on your event. Populating this field, then using
+    it to search for hashes can help in situations where you're unsure what the hash
+    algorithm is (and therefore which key name to search).
+  flat_name: related.hash
   ignore_above: 1024
   level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
+  name: hash
+  normalize:
+  - array
+  short: All the hashes seen on your event.
   type: keyword
-process.target.elf.header.entrypoint:
-  dashed_name: process-target-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.target.elf.header.entrypoint
-  format: string
+related.hosts:
+  dashed_name: related-hosts
+  description: All hostnames or other host identifiers seen on your event. Example
+    identifiers include FQDNs, domain names, workstation names, or aliases.
+  flat_name: related.hosts
+  ignore_above: 1024
   level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.target.elf.header.object_version:
-  dashed_name: process-target-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.target.elf.header.object_version
+  name: hosts
+  normalize:
+  - array
+  short: All the host identifiers seen on your event.
+  type: keyword
+related.ip:
+  dashed_name: related-ip
+  description: All of the IPs seen on your event.
+  flat_name: related.ip
+  level: extended
+  name: ip
+  normalize:
+  - array
+  short: All of the IPs seen on your event.
+  type: ip
+related.user:
+  dashed_name: related-user
+  description: All the user names or other user identifiers seen on the event.
+  flat_name: related.user
   ignore_above: 1024
   level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
+  name: user
+  normalize:
+  - array
+  short: All the user names or other user identifiers seen on the event.
   type: keyword
-process.target.elf.header.os_abi:
-  dashed_name: process-target-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.target.elf.header.os_abi
+rule.author:
+  dashed_name: rule-author
+  description: Name, organization, or pseudonym of the author or authors who created
+    the rule used to generate this event.
+  example: '["Star-Lord"]'
+  flat_name: rule.author
   ignore_above: 1024
   level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
+  name: author
+  normalize:
+  - array
+  short: Rule author
   type: keyword
-process.target.elf.header.type:
-  dashed_name: process-target-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.target.elf.header.type
+rule.category:
+  dashed_name: rule-category
+  description: A categorization value keyword used by the entity using the rule for
+    detection of this event.
+  example: Attempted Information Leak
+  flat_name: rule.category
   ignore_above: 1024
   level: extended
-  name: header.type
+  name: category
   normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
+  short: Rule category
   type: keyword
-process.target.elf.header.version:
-  dashed_name: process-target-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.target.elf.header.version
+rule.description:
+  dashed_name: rule-description
+  description: The description of the rule generating the event.
+  example: Block requests to public DNS over HTTPS / TLS protocols
+  flat_name: rule.description
   ignore_above: 1024
   level: extended
-  name: header.version
+  name: description
   normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
+  short: Rule description
   type: keyword
-process.target.elf.imports:
-  dashed_name: process-target-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.target.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.target.elf.sections:
-  dashed_name: process-target-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.target.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.target.elf.sections.chi2:
-  dashed_name: process-target-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.target.elf.sections.chi2
-  format: number
+rule.id:
+  dashed_name: rule-id
+  description: A rule ID that is unique within the scope of an agent, observer, or
+    other entity using the rule for detection of this event.
+  example: 101
+  flat_name: rule.id
+  ignore_above: 1024
   level: extended
-  name: sections.chi2
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.target.elf.sections.entropy:
-  dashed_name: process-target-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.target.elf.sections.entropy
-  format: number
+  short: Rule ID
+  type: keyword
+rule.license:
+  dashed_name: rule-license
+  description: Name of the license under which the rule used to generate this event
+    is made available.
+  example: Apache 2.0
+  flat_name: rule.license
+  ignore_above: 1024
   level: extended
-  name: sections.entropy
+  name: license
   normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.target.elf.sections.flags:
-  dashed_name: process-target-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.target.elf.sections.flags
+  short: Rule license
+  type: keyword
+rule.name:
+  dashed_name: rule-name
+  description: The name of the rule or signature generating the event.
+  example: BLOCK_DNS_over_TLS
+  flat_name: rule.name
   ignore_above: 1024
   level: extended
-  name: sections.flags
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
+  short: Rule name
   type: keyword
-process.target.elf.sections.name:
-  dashed_name: process-target-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.target.elf.sections.name
+rule.reference:
+  dashed_name: rule-reference
+  description: 'Reference URL to additional information about the rule used to generate
+    this event.
+
+    The URL can point to the vendor''s documentation about the rule. If that''s not
+    available, it can also be a link to a more general page describing this type of
+    alert.'
+  example: https://en.wikipedia.org/wiki/DNS_over_TLS
+  flat_name: rule.reference
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: reference
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
+  short: Rule reference URL
   type: keyword
-process.target.elf.sections.physical_offset:
-  dashed_name: process-target-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.target.elf.sections.physical_offset
+rule.ruleset:
+  dashed_name: rule-ruleset
+  description: Name of the ruleset, policy, group, or parent category in which the
+    rule used to generate this event is a member.
+  example: Standard_Protocol_Filters
+  flat_name: rule.ruleset
   ignore_above: 1024
   level: extended
-  name: sections.physical_offset
+  name: ruleset
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
+  short: Rule ruleset
   type: keyword
-process.target.elf.sections.physical_size:
-  dashed_name: process-target-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.target.elf.sections.physical_size
-  format: bytes
+rule.uuid:
+  dashed_name: rule-uuid
+  description: A rule ID that is unique within the scope of a set or group of agents,
+    observers, or other entities using the rule for detection of this event.
+  example: 1100110011
+  flat_name: rule.uuid
+  ignore_above: 1024
   level: extended
-  name: sections.physical_size
+  name: uuid
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.target.elf.sections.type:
-  dashed_name: process-target-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.target.elf.sections.type
+  short: Rule UUID
+  type: keyword
+rule.version:
+  dashed_name: rule-version
+  description: The version / revision of the rule being used for analysis.
+  example: 1.1
+  flat_name: rule.version
   ignore_above: 1024
   level: extended
-  name: sections.type
+  name: version
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
+  short: Rule version
   type: keyword
-process.target.elf.sections.virtual_address:
-  dashed_name: process-target-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.target.elf.sections.virtual_address
-  format: string
+server.address:
+  dashed_name: server-address
+  description: 'Some event server addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: server.address
+  ignore_above: 1024
   level: extended
-  name: sections.virtual_address
+  name: address
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.target.elf.sections.virtual_size:
-  dashed_name: process-target-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.target.elf.sections.virtual_size
-  format: string
+  short: Server network address.
+  type: keyword
+server.as.number:
+  dashed_name: server-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: server.as.number
   level: extended
-  name: sections.virtual_size
+  name: number
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
   type: long
-process.target.elf.segments:
-  dashed_name: process-target-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.target.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.target.elf.segments.sections:
-  dashed_name: process-target-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.target.elf.segments.sections
+server.as.organization.name:
+  dashed_name: server-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: server.as.organization.name
   ignore_above: 1024
   level: extended
-  name: segments.sections
+  multi_fields:
+  - flat_name: server.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
+  original_fieldset: as
+  short: Organization name.
   type: keyword
-process.target.elf.segments.type:
-  dashed_name: process-target-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.target.elf.segments.type
+server.bytes:
+  dashed_name: server-bytes
+  description: Bytes sent from the server to the client.
+  example: 184
+  flat_name: server.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  short: Bytes sent from the server to the client.
+  type: long
+server.domain:
+  dashed_name: server-domain
+  description: Server domain.
+  flat_name: server.domain
   ignore_above: 1024
-  level: extended
-  name: segments.type
+  level: core
+  name: domain
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
+  short: Server domain.
   type: keyword
-process.target.elf.shared_libraries:
-  dashed_name: process-target-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.target.elf.shared_libraries
+server.geo.city_name:
+  dashed_name: server-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: server.geo.city_name
   ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
   type: keyword
-process.target.elf.telfhash:
-  dashed_name: process-target-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.target.elf.telfhash
+server.geo.continent_code:
+  dashed_name: server-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: server.geo.continent_code
   ignore_above: 1024
-  level: extended
-  name: telfhash
+  level: core
+  name: continent_code
   normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
+  original_fieldset: geo
+  short: Continent code.
   type: keyword
-process.target.end:
-  dashed_name: process-target-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.target.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.target.entity_id:
-  dashed_name: process-target-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.target.entity_id
+server.geo.continent_name:
+  dashed_name: server-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: server.geo.continent_name
   ignore_above: 1024
-  level: extended
-  name: entity_id
+  level: core
+  name: continent_name
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: geo
+  short: Name of the continent.
   type: keyword
-process.target.executable:
-  dashed_name: process-target-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.target.executable
+server.geo.country_iso_code:
+  dashed_name: server-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: server.geo.country_iso_code
   ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.target.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  level: core
+  name: country_iso_code
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: geo
+  short: Country ISO code.
   type: keyword
-process.target.exit_code:
-  dashed_name: process-target-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.target.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.target.hash.md5:
-  dashed_name: process-target-hash-md5
-  description: MD5 hash.
-  flat_name: process.target.hash.md5
+server.geo.country_name:
+  dashed_name: server-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: server.geo.country_name
   ignore_above: 1024
-  level: extended
-  name: md5
+  level: core
+  name: country_name
   normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
+  original_fieldset: geo
+  short: Country name.
   type: keyword
-process.target.hash.sha1:
-  dashed_name: process-target-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.target.hash.sha1
+server.geo.location:
+  dashed_name: server-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: server.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+server.geo.name:
+  dashed_name: server-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: server.geo.name
   ignore_above: 1024
   level: extended
-  name: sha1
+  name: name
   normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
+  original_fieldset: geo
+  short: User-defined description of a location.
   type: keyword
-process.target.hash.sha256:
-  dashed_name: process-target-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.target.hash.sha256
+server.geo.postal_code:
+  dashed_name: server-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: server.geo.postal_code
   ignore_above: 1024
-  level: extended
-  name: sha256
+  level: core
+  name: postal_code
   normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
+  original_fieldset: geo
+  short: Postal code.
   type: keyword
-process.target.hash.sha512:
-  dashed_name: process-target-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.target.hash.sha512
+server.geo.region_iso_code:
+  dashed_name: server-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: server.geo.region_iso_code
   ignore_above: 1024
-  level: extended
-  name: sha512
+  level: core
+  name: region_iso_code
   normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
+  original_fieldset: geo
+  short: Region ISO code.
   type: keyword
-process.target.hash.ssdeep:
-  dashed_name: process-target-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.target.hash.ssdeep
+server.geo.region_name:
+  dashed_name: server-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: server.geo.region_name
   ignore_above: 1024
-  level: extended
-  name: ssdeep
+  level: core
+  name: region_name
   normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
+  original_fieldset: geo
+  short: Region name.
   type: keyword
-process.target.name:
-  dashed_name: process-target-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.target.name
+server.geo.timezone:
+  dashed_name: server-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: server.geo.timezone
   ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.target.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: core
+  name: timezone
   normalize: []
-  original_fieldset: process
-  short: Process name.
+  original_fieldset: geo
+  short: Time zone.
   type: keyword
-process.target.parent.args:
-  dashed_name: process-target-parent-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.target.parent.args
+server.ip:
+  dashed_name: server-ip
+  description: IP address of the server (IPv4 or IPv6).
+  flat_name: server.ip
+  level: core
+  name: ip
+  normalize: []
+  short: IP address of the server.
+  type: ip
+server.mac:
+  dashed_name: server-mac
+  description: 'MAC address of the server.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: server.mac
   ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
+  level: core
+  name: mac
+  normalize: []
+  short: MAC address of the server.
   type: keyword
-process.target.parent.args_count:
-  dashed_name: process-target-parent-args-count
-  description: 'Length of the process.args array.
+server.nat.ip:
+  dashed_name: server-nat-ip
+  description: 'Translated ip of destination based NAT sessions (e.g. internet to
+    private DMZ)
 
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.target.parent.args_count
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: server.nat.ip
   level: extended
-  name: args_count
+  name: nat.ip
   normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.target.parent.code_signature.digest_algorithm:
-  dashed_name: process-target-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
+  short: Server NAT ip
+  type: ip
+server.nat.port:
+  dashed_name: server-nat-port
+  description: 'Translated port of destination based NAT sessions (e.g. internet to
+    private DMZ)
 
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.target.parent.code_signature.digest_algorithm
-  ignore_above: 1024
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: server.nat.port
+  format: string
   level: extended
-  name: digest_algorithm
+  name: nat.port
   normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.target.parent.code_signature.exists:
-  dashed_name: process-target-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.target.parent.code_signature.exists
+  short: Server NAT port
+  type: long
+server.packets:
+  dashed_name: server-packets
+  description: Packets sent from the server to the client.
+  example: 12
+  flat_name: server.packets
   level: core
-  name: exists
+  name: packets
   normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.target.parent.code_signature.signing_id:
-  dashed_name: process-target-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
+  short: Packets sent from the server to the client.
+  type: long
+server.port:
+  dashed_name: server-port
+  description: Port of the server.
+  flat_name: server.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  short: Port of the server.
+  type: long
+server.registered_domain:
+  dashed_name: server-registered-domain
+  description: 'The highest registered server domain, stripped of the subdomain.
 
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.target.parent.code_signature.signing_id
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: server.registered_domain
   ignore_above: 1024
   level: extended
-  name: signing_id
+  name: registered_domain
   normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
+  short: The highest registered server domain, stripped of the subdomain.
   type: keyword
-process.target.parent.code_signature.status:
-  dashed_name: process-target-parent-code-signature-status
-  description: 'Additional information about the certificate status.
+server.subdomain:
+  dashed_name: server-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
 
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.target.parent.code_signature.status
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: server.subdomain
   ignore_above: 1024
   level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.target.parent.code_signature.subject_name:
-  dashed_name: process-target-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.target.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
+  name: subdomain
   normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
+  short: The subdomain of the domain.
   type: keyword
-process.target.parent.code_signature.team_id:
-  dashed_name: process-target-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
+server.top_level_domain:
+  dashed_name: server-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
 
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.target.parent.code_signature.team_id
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: server.top_level_domain
   ignore_above: 1024
   level: extended
-  name: team_id
+  name: top_level_domain
   normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
+  short: The effective top level domain (com, org, net, co.uk).
   type: keyword
-process.target.parent.code_signature.timestamp:
-  dashed_name: process-target-parent-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.target.parent.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.target.parent.code_signature.trusted:
-  dashed_name: process-target-parent-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
+server.user.domain:
+  dashed_name: server-user-domain
+  description: 'Name of the directory the user is a member of.
 
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.target.parent.code_signature.trusted
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: server.user.domain
+  ignore_above: 1024
   level: extended
-  name: trusted
+  name: domain
   normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.target.parent.code_signature.valid:
-  dashed_name: process-target-parent-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.target.parent.code_signature.valid
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+server.user.email:
+  dashed_name: server-user-email
+  description: User email address.
+  flat_name: server.user.email
+  ignore_above: 1024
   level: extended
-  name: valid
+  name: email
   normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.target.parent.command_line:
-  dashed_name: process-target-parent-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.target.parent.command_line
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+server.user.full_name:
+  dashed_name: server-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: server.user.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.target.parent.command_line.text
+  - flat_name: server.user.full_name.text
     name: text
     type: match_only_text
-  name: command_line
+  name: full_name
   normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.target.parent.elf.architecture:
-  dashed_name: process-target-parent-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.target.parent.elf.architecture
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+server.user.group.domain:
+  dashed_name: server-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: server.user.group.domain
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: domain
   normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.target.parent.elf.byte_order:
-  dashed_name: process-target-parent-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.target.parent.elf.byte_order
+server.user.group.id:
+  dashed_name: server-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: server.user.group.id
   ignore_above: 1024
   level: extended
-  name: byte_order
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.target.parent.elf.cpu_type:
-  dashed_name: process-target-parent-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.target.parent.elf.cpu_type
+server.user.group.name:
+  dashed_name: server-user-group-name
+  description: Name of the group.
+  flat_name: server.user.group.name
   ignore_above: 1024
   level: extended
-  name: cpu_type
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.target.parent.elf.creation_date:
-  dashed_name: process-target-parent-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.target.parent.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.target.parent.elf.exports:
-  dashed_name: process-target-parent-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.target.parent.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.target.parent.elf.header.abi_version:
-  dashed_name: process-target-parent-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.target.parent.elf.header.abi_version
+server.user.hash:
+  dashed_name: server-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: server.user.hash
   ignore_above: 1024
   level: extended
-  name: header.abi_version
+  name: hash
   normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
   type: keyword
-process.target.parent.elf.header.class:
-  dashed_name: process-target-parent-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.target.parent.elf.header.class
+server.user.id:
+  dashed_name: server-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: server.user.id
   ignore_above: 1024
-  level: extended
-  name: header.class
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.target.parent.elf.header.data:
-  dashed_name: process-target-parent-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.target.parent.elf.header.data
+server.user.name:
+  dashed_name: server-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: server.user.name
   ignore_above: 1024
-  level: extended
-  name: header.data
+  level: core
+  multi_fields:
+  - flat_name: server.user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.target.parent.elf.header.entrypoint:
-  dashed_name: process-target-parent-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.target.parent.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.target.parent.elf.header.object_version:
-  dashed_name: process-target-parent-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.target.parent.elf.header.object_version
+server.user.roles:
+  dashed_name: server-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: server.user.roles
   ignore_above: 1024
   level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
   type: keyword
-process.target.parent.elf.header.os_abi:
-  dashed_name: process-target-parent-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.target.parent.elf.header.os_abi
+service.address:
+  dashed_name: service-address
+  description: 'Address where data about this service was collected from.
+
+    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+    path (sockets).'
+  example: 172.26.0.2:5432
+  flat_name: service.address
   ignore_above: 1024
   level: extended
-  name: header.os_abi
+  name: address
   normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
+  short: Address of this service.
   type: keyword
-process.target.parent.elf.header.type:
-  dashed_name: process-target-parent-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.target.parent.elf.header.type
+service.environment:
+  beta: This field is beta and subject to change.
+  dashed_name: service-environment
+  description: 'Identifies the environment where the service is running.
+
+    If the same service runs in different environments (production, staging, QA, development,
+    etc.), the environment can identify other instances of the same service. Can also
+    group services and applications from the same environment.'
+  example: production
+  flat_name: service.environment
   ignore_above: 1024
   level: extended
-  name: header.type
+  name: environment
   normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
+  short: Environment of the service.
   type: keyword
-process.target.parent.elf.header.version:
-  dashed_name: process-target-parent-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.target.parent.elf.header.version
+service.ephemeral_id:
+  dashed_name: service-ephemeral-id
+  description: 'Ephemeral identifier of this service (if one exists).
+
+    This id normally changes across restarts, but `service.id` does not.'
+  example: 8a4f500f
+  flat_name: service.ephemeral_id
   ignore_above: 1024
   level: extended
-  name: header.version
+  name: ephemeral_id
   normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
+  short: Ephemeral identifier of this service.
   type: keyword
-process.target.parent.elf.imports:
-  dashed_name: process-target-parent-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.target.parent.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.target.parent.elf.sections:
-  dashed_name: process-target-parent-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
+service.id:
+  dashed_name: service-id
+  description: 'Unique identifier of the running service. If the service is comprised
+    of many nodes, the `service.id` should be the same for all nodes.
 
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.target.parent.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.target.parent.elf.sections.chi2:
-  dashed_name: process-target-parent-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.target.parent.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
+    This id should uniquely identify the service. This makes it possible to correlate
+    logs and metrics for one specific service, no matter which particular node emitted
+    the event.
+
+    Note that if you need to see the events from one specific host of the service,
+    you should filter on that `host.name` or `host.id` instead.'
+  example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+  flat_name: service.id
+  ignore_above: 1024
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.target.parent.elf.sections.entropy:
-  dashed_name: process-target-parent-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.target.parent.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
+  short: Unique identifier of the running service.
+  type: keyword
+service.name:
+  dashed_name: service-name
+  description: 'Name of the service data is collected from.
+
+    The name of the service is normally user given. This allows for distributed services
+    that run on multiple hosts to correlate the related instances based on the name.
+
+    In the case of Elasticsearch the `service.name` could contain the cluster name.
+    For Beats the `service.name` is by default a copy of the `service.type` field
+    if no name is specified.'
+  example: elasticsearch-metrics
+  flat_name: service.name
+  ignore_above: 1024
+  level: core
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.target.parent.elf.sections.flags:
-  dashed_name: process-target-parent-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.target.parent.elf.sections.flags
+  short: Name of the service.
+  type: keyword
+service.node.name:
+  dashed_name: service-node-name
+  description: 'Name of a service node.
+
+    This allows for two nodes of the same service running on the same host to be differentiated.
+    Therefore, `service.node.name` should typically be unique across nodes of a given
+    service.
+
+    In the case of Elasticsearch, the `service.node.name` could contain the unique
+    node name within the Elasticsearch cluster. In cases where the service doesn''t
+    have the concept of a node name, the host name or container name can be used to
+    distinguish running instances that make up this service. If those do not provide
+    uniqueness (e.g. multiple instances of the service running on the same host) -
+    the node name can be manually set.'
+  example: instance-0000000016
+  flat_name: service.node.name
   ignore_above: 1024
   level: extended
-  name: sections.flags
+  name: node.name
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
+  short: Name of the service node.
   type: keyword
-process.target.parent.elf.sections.name:
-  dashed_name: process-target-parent-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.target.parent.elf.sections.name
+service.origin.address:
+  dashed_name: service-origin-address
+  description: 'Address where data about this service was collected from.
+
+    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+    path (sockets).'
+  example: 172.26.0.2:5432
+  flat_name: service.origin.address
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: address
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
+  original_fieldset: service
+  short: Address of this service.
   type: keyword
-process.target.parent.elf.sections.physical_offset:
-  dashed_name: process-target-parent-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.target.parent.elf.sections.physical_offset
+service.origin.environment:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-environment
+  description: 'Identifies the environment where the service is running.
+
+    If the same service runs in different environments (production, staging, QA, development,
+    etc.), the environment can identify other instances of the same service. Can also
+    group services and applications from the same environment.'
+  example: production
+  flat_name: service.origin.environment
   ignore_above: 1024
   level: extended
-  name: sections.physical_offset
+  name: environment
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
+  original_fieldset: service
+  short: Environment of the service.
   type: keyword
-process.target.parent.elf.sections.physical_size:
-  dashed_name: process-target-parent-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.target.parent.elf.sections.physical_size
-  format: bytes
+service.origin.ephemeral_id:
+  dashed_name: service-origin-ephemeral-id
+  description: 'Ephemeral identifier of this service (if one exists).
+
+    This id normally changes across restarts, but `service.id` does not.'
+  example: 8a4f500f
+  flat_name: service.origin.ephemeral_id
+  ignore_above: 1024
   level: extended
-  name: sections.physical_size
+  name: ephemeral_id
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.target.parent.elf.sections.type:
-  dashed_name: process-target-parent-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.target.parent.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
+  original_fieldset: service
+  short: Ephemeral identifier of this service.
   type: keyword
-process.target.parent.elf.sections.virtual_address:
-  dashed_name: process-target-parent-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.target.parent.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.target.parent.elf.sections.virtual_size:
-  dashed_name: process-target-parent-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.target.parent.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.target.parent.elf.segments:
-  dashed_name: process-target-parent-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
+service.origin.id:
+  dashed_name: service-origin-id
+  description: 'Unique identifier of the running service. If the service is comprised
+    of many nodes, the `service.id` should be the same for all nodes.
 
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.target.parent.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.target.parent.elf.segments.sections:
-  dashed_name: process-target-parent-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.target.parent.elf.segments.sections
+    This id should uniquely identify the service. This makes it possible to correlate
+    logs and metrics for one specific service, no matter which particular node emitted
+    the event.
+
+    Note that if you need to see the events from one specific host of the service,
+    you should filter on that `host.name` or `host.id` instead.'
+  example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+  flat_name: service.origin.id
   ignore_above: 1024
-  level: extended
-  name: segments.sections
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
+  original_fieldset: service
+  short: Unique identifier of the running service.
   type: keyword
-process.target.parent.elf.segments.type:
-  dashed_name: process-target-parent-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.target.parent.elf.segments.type
+service.origin.name:
+  dashed_name: service-origin-name
+  description: 'Name of the service data is collected from.
+
+    The name of the service is normally user given. This allows for distributed services
+    that run on multiple hosts to correlate the related instances based on the name.
+
+    In the case of Elasticsearch the `service.name` could contain the cluster name.
+    For Beats the `service.name` is by default a copy of the `service.type` field
+    if no name is specified.'
+  example: elasticsearch-metrics
+  flat_name: service.origin.name
   ignore_above: 1024
-  level: extended
-  name: segments.type
+  level: core
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
+  original_fieldset: service
+  short: Name of the service.
   type: keyword
-process.target.parent.elf.shared_libraries:
-  dashed_name: process-target-parent-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.target.parent.elf.shared_libraries
+service.origin.node.name:
+  dashed_name: service-origin-node-name
+  description: 'Name of a service node.
+
+    This allows for two nodes of the same service running on the same host to be differentiated.
+    Therefore, `service.node.name` should typically be unique across nodes of a given
+    service.
+
+    In the case of Elasticsearch, the `service.node.name` could contain the unique
+    node name within the Elasticsearch cluster. In cases where the service doesn''t
+    have the concept of a node name, the host name or container name can be used to
+    distinguish running instances that make up this service. If those do not provide
+    uniqueness (e.g. multiple instances of the service running on the same host) -
+    the node name can be manually set.'
+  example: instance-0000000016
+  flat_name: service.origin.node.name
   ignore_above: 1024
   level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
+  name: node.name
+  normalize: []
+  original_fieldset: service
+  short: Name of the service node.
   type: keyword
-process.target.parent.elf.telfhash:
-  dashed_name: process-target-parent-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.target.parent.elf.telfhash
+service.origin.state:
+  dashed_name: service-origin-state
+  description: Current state of the service.
+  flat_name: service.origin.state
   ignore_above: 1024
-  level: extended
-  name: telfhash
+  level: core
+  name: state
   normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
+  original_fieldset: service
+  short: Current state of the service.
   type: keyword
-process.target.parent.end:
-  dashed_name: process-target-parent-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.target.parent.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.target.parent.entity_id:
-  dashed_name: process-target-parent-entity-id
-  description: 'Unique identifier for the process.
+service.origin.type:
+  dashed_name: service-origin-type
+  description: 'The type of the service data is collected from.
 
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
+    The type can be used to group and correlate logs and metrics from one service
+    type.
 
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.target.parent.entity_id
+    Example: If logs or metrics are collected from Elasticsearch, `service.type` would
+    be `elasticsearch`.'
+  example: elasticsearch
+  flat_name: service.origin.type
   ignore_above: 1024
-  level: extended
-  name: entity_id
+  level: core
+  name: type
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: service
+  short: The type of the service.
   type: keyword
-process.target.parent.executable:
-  dashed_name: process-target-parent-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.target.parent.executable
+service.origin.version:
+  dashed_name: service-origin-version
+  description: 'Version of the service the data was collected from.
+
+    This allows to look at a data set only for a specific version of a service.'
+  example: 3.2.4
+  flat_name: service.origin.version
   ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.target.parent.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  level: core
+  name: version
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: service
+  short: Version of the service.
   type: keyword
-process.target.parent.exit_code:
-  dashed_name: process-target-parent-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.target.parent.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.target.parent.hash.md5:
-  dashed_name: process-target-parent-hash-md5
-  description: MD5 hash.
-  flat_name: process.target.parent.hash.md5
+service.state:
+  dashed_name: service-state
+  description: Current state of the service.
+  flat_name: service.state
   ignore_above: 1024
-  level: extended
-  name: md5
+  level: core
+  name: state
   normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
+  short: Current state of the service.
   type: keyword
-process.target.parent.hash.sha1:
-  dashed_name: process-target-parent-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.target.parent.hash.sha1
+service.target.address:
+  dashed_name: service-target-address
+  description: 'Address where data about this service was collected from.
+
+    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+    path (sockets).'
+  example: 172.26.0.2:5432
+  flat_name: service.target.address
   ignore_above: 1024
   level: extended
-  name: sha1
+  name: address
   normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
+  original_fieldset: service
+  short: Address of this service.
   type: keyword
-process.target.parent.hash.sha256:
-  dashed_name: process-target-parent-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.target.parent.hash.sha256
+service.target.environment:
+  beta: This field is beta and subject to change.
+  dashed_name: service-target-environment
+  description: 'Identifies the environment where the service is running.
+
+    If the same service runs in different environments (production, staging, QA, development,
+    etc.), the environment can identify other instances of the same service. Can also
+    group services and applications from the same environment.'
+  example: production
+  flat_name: service.target.environment
   ignore_above: 1024
   level: extended
-  name: sha256
+  name: environment
   normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
+  original_fieldset: service
+  short: Environment of the service.
   type: keyword
-process.target.parent.hash.sha512:
-  dashed_name: process-target-parent-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.target.parent.hash.sha512
+service.target.ephemeral_id:
+  dashed_name: service-target-ephemeral-id
+  description: 'Ephemeral identifier of this service (if one exists).
+
+    This id normally changes across restarts, but `service.id` does not.'
+  example: 8a4f500f
+  flat_name: service.target.ephemeral_id
   ignore_above: 1024
   level: extended
-  name: sha512
+  name: ephemeral_id
   normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
+  original_fieldset: service
+  short: Ephemeral identifier of this service.
   type: keyword
-process.target.parent.hash.ssdeep:
-  dashed_name: process-target-parent-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.target.parent.hash.ssdeep
+service.target.id:
+  dashed_name: service-target-id
+  description: 'Unique identifier of the running service. If the service is comprised
+    of many nodes, the `service.id` should be the same for all nodes.
+
+    This id should uniquely identify the service. This makes it possible to correlate
+    logs and metrics for one specific service, no matter which particular node emitted
+    the event.
+
+    Note that if you need to see the events from one specific host of the service,
+    you should filter on that `host.name` or `host.id` instead.'
+  example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+  flat_name: service.target.id
   ignore_above: 1024
-  level: extended
-  name: ssdeep
+  level: core
+  name: id
   normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
+  original_fieldset: service
+  short: Unique identifier of the running service.
   type: keyword
-process.target.parent.name:
-  dashed_name: process-target-parent-name
-  description: 'Process name.
+service.target.name:
+  dashed_name: service-target-name
+  description: 'Name of the service data is collected from.
 
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.target.parent.name
+    The name of the service is normally user given. This allows for distributed services
+    that run on multiple hosts to correlate the related instances based on the name.
+
+    In the case of Elasticsearch the `service.name` could contain the cluster name.
+    For Beats the `service.name` is by default a copy of the `service.type` field
+    if no name is specified.'
+  example: elasticsearch-metrics
+  flat_name: service.target.name
   ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.target.parent.name.text
-    name: text
-    type: match_only_text
+  level: core
   name: name
   normalize: []
-  original_fieldset: process
-  short: Process name.
+  original_fieldset: service
+  short: Name of the service.
   type: keyword
-process.target.parent.pe.architecture:
-  dashed_name: process-target-parent-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.target.parent.pe.architecture
+service.target.node.name:
+  dashed_name: service-target-node-name
+  description: 'Name of a service node.
+
+    This allows for two nodes of the same service running on the same host to be differentiated.
+    Therefore, `service.node.name` should typically be unique across nodes of a given
+    service.
+
+    In the case of Elasticsearch, the `service.node.name` could contain the unique
+    node name within the Elasticsearch cluster. In cases where the service doesn''t
+    have the concept of a node name, the host name or container name can be used to
+    distinguish running instances that make up this service. If those do not provide
+    uniqueness (e.g. multiple instances of the service running on the same host) -
+    the node name can be manually set.'
+  example: instance-0000000016
+  flat_name: service.target.node.name
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: node.name
   normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  original_fieldset: service
+  short: Name of the service node.
   type: keyword
-process.target.parent.pe.authentihash:
-  dashed_name: process-target-parent-pe-authentihash
-  description: Authentihash of the PE file.
-  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-  flat_name: process.target.parent.pe.authentihash
+service.target.state:
+  dashed_name: service-target-state
+  description: Current state of the service.
+  flat_name: service.target.state
   ignore_above: 1024
-  level: extended
-  name: authentihash
+  level: core
+  name: state
   normalize: []
-  original_fieldset: pe
-  short: Authentihash of the PE file.
+  original_fieldset: service
+  short: Current state of the service.
   type: keyword
-process.target.parent.pe.company:
-  dashed_name: process-target-parent-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.target.parent.pe.company
+service.target.type:
+  dashed_name: service-target-type
+  description: 'The type of the service data is collected from.
+
+    The type can be used to group and correlate logs and metrics from one service
+    type.
+
+    Example: If logs or metrics are collected from Elasticsearch, `service.type` would
+    be `elasticsearch`.'
+  example: elasticsearch
+  flat_name: service.target.type
   ignore_above: 1024
-  level: extended
-  name: company
+  level: core
+  name: type
   normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
+  original_fieldset: service
+  short: The type of the service.
   type: keyword
-process.target.parent.pe.compile_timestamp:
-  dashed_name: process-target-parent-pe-compile-timestamp
-  description: Compile timestamp of the PE file.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: process.target.parent.pe.compile_timestamp
-  level: extended
-  name: compile_timestamp
-  normalize: []
-  original_fieldset: pe
-  short: Compile timestamp of the PE file.
-  type: date
-process.target.parent.pe.compiler.name:
-  dashed_name: process-target-parent-pe-compiler-name
-  description: Name of the compiler
-  example: Clang
-  flat_name: process.target.parent.pe.compiler.name
+service.target.version:
+  dashed_name: service-target-version
+  description: 'Version of the service the data was collected from.
+
+    This allows to look at a data set only for a specific version of a service.'
+  example: 3.2.4
+  flat_name: service.target.version
   ignore_above: 1024
-  level: extended
-  name: compiler.name
+  level: core
+  name: version
   normalize: []
-  original_fieldset: pe
-  short: Name of the compiler
+  original_fieldset: service
+  short: Version of the service.
   type: keyword
-process.target.parent.pe.compiler.version:
-  dashed_name: process-target-parent-pe-compiler-version
-  description: Version of the compiler.
-  example: 11.0.0
-  flat_name: process.target.parent.pe.compiler.version
+service.type:
+  dashed_name: service-type
+  description: 'The type of the service data is collected from.
+
+    The type can be used to group and correlate logs and metrics from one service
+    type.
+
+    Example: If logs or metrics are collected from Elasticsearch, `service.type` would
+    be `elasticsearch`.'
+  example: elasticsearch
+  flat_name: service.type
   ignore_above: 1024
-  level: extended
-  name: compiler.version
+  level: core
+  name: type
   normalize: []
-  original_fieldset: pe
-  short: Version of the compiler.
+  short: The type of the service.
   type: keyword
-process.target.parent.pe.creation_date:
-  dashed_name: process-target-parent-pe-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: process.target.parent.pe.creation_date
-  level: extended
-  name: creation_date
+service.version:
+  dashed_name: service-version
+  description: 'Version of the service the data was collected from.
+
+    This allows to look at a data set only for a specific version of a service.'
+  example: 3.2.4
+  flat_name: service.version
+  ignore_above: 1024
+  level: core
+  name: version
   normalize: []
-  original_fieldset: pe
-  short: Build or compile date.
-  type: date
-process.target.parent.pe.debug:
-  dashed_name: process-target-parent-pe-debug
-  description: 'An array containing an object for each debug entry, if present.
+  short: Version of the service.
+  type: keyword
+source.address:
+  dashed_name: source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
 
-    The expected fields for this nested object fall under the `debug.` prefix.'
-  flat_name: process.target.parent.pe.debug
-  level: extended
-  name: debug
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Debug information
-  type: nested
-process.target.parent.pe.debug.offset:
-  dashed_name: process-target-parent-pe-debug-offset
-  description: Debug offset information.
-  example: 1296336
-  flat_name: process.target.parent.pe.debug.offset
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: source.address
   ignore_above: 1024
   level: extended
-  name: debug.offset
+  name: address
   normalize: []
-  original_fieldset: pe
-  short: Debug offset information.
+  short: Source network address.
   type: keyword
-process.target.parent.pe.debug.size:
-  dashed_name: process-target-parent-pe-debug-size
-  description: Size of the debug information.
-  example: 816
-  flat_name: process.target.parent.pe.debug.size
-  format: bytes
+source.as.number:
+  dashed_name: source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: source.as.number
   level: extended
-  name: debug.size
+  name: number
   normalize: []
-  original_fieldset: pe
-  short: Size of the debug information.
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
   type: long
-process.target.parent.pe.debug.timestamp:
-  dashed_name: process-target-parent-pe-debug-timestamp
-  description: Timestamp of the debug information.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: process.target.parent.pe.debug.timestamp
-  level: extended
-  name: debug.timestamp
-  normalize: []
-  original_fieldset: pe
-  short: Timestamp of the debug information.
-  type: date
-process.target.parent.pe.debug.type:
-  dashed_name: process-target-parent-pe-debug-type
-  description: Information type generated by the debug options.
-  example: IMAGE_DEBUG_TYPE_POGO
-  flat_name: process.target.parent.pe.debug.type
+source.as.organization.name:
+  dashed_name: source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: source.as.organization.name
   ignore_above: 1024
   level: extended
-  name: debug.type
+  multi_fields:
+  - flat_name: source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
   normalize: []
-  original_fieldset: pe
-  short: Information type generated by the debug options.
+  original_fieldset: as
+  short: Organization name.
   type: keyword
-process.target.parent.pe.description:
-  dashed_name: process-target-parent-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.target.parent.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
+source.bytes:
+  dashed_name: source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: source.bytes
+  format: bytes
+  level: core
+  name: bytes
   normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.target.parent.pe.entry_point:
-  dashed_name: process-target-parent-pe-entry-point
-  description: Relative byte offset to the base of the PE file.
-  example: 25856
-  flat_name: process.target.parent.pe.entry_point
+  short: Bytes sent from the source to the destination.
+  type: long
+source.domain:
+  dashed_name: source-domain
+  description: Source domain.
+  flat_name: source.domain
   ignore_above: 1024
-  level: extended
-  name: entry_point
+  level: core
+  name: domain
   normalize: []
-  original_fieldset: pe
-  short: Relative byte offset to the base of the PE file.
+  short: Source domain.
   type: keyword
-process.target.parent.pe.exports:
-  dashed_name: process-target-parent-pe-exports
-  description: List of symbols exported by PE
-  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-  flat_name: process.target.parent.pe.exports
+source.geo.city_name:
+  dashed_name: source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: source.geo.city_name
   ignore_above: 1024
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of symbols exported by PE
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
   type: keyword
-process.target.parent.pe.file_version:
-  dashed_name: process-target-parent-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.target.parent.pe.file_version
+source.geo.continent_code:
+  dashed_name: source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: source.geo.continent_code
   ignore_above: 1024
-  level: extended
-  name: file_version
+  level: core
+  name: continent_code
   normalize: []
-  original_fieldset: pe
-  short: Process name.
+  original_fieldset: geo
+  short: Continent code.
   type: keyword
-process.target.parent.pe.icon.hash.dhash:
-  dashed_name: process-target-parent-pe-icon-hash-dhash
-  description: Difference Hash (dhash) to find files with a visually similar icon
-    or thumbnail.
-  example: b806e17c8e330d82
-  flat_name: process.target.parent.pe.icon.hash.dhash
+source.geo.continent_name:
+  dashed_name: source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: source.geo.continent_name
   ignore_above: 1024
-  level: extended
-  name: icon.hash.dhash
+  level: core
+  name: continent_name
   normalize: []
-  original_fieldset: pe
-  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  original_fieldset: geo
+  short: Name of the continent.
   type: keyword
-process.target.parent.pe.imphash:
-  dashed_name: process-target-parent-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.target.parent.pe.imphash
+source.geo.country_iso_code:
+  dashed_name: source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: source.geo.country_iso_code
   ignore_above: 1024
-  level: extended
-  name: imphash
+  level: core
+  name: country_iso_code
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: geo
+  short: Country ISO code.
   type: keyword
-process.target.parent.pe.imports:
-  dashed_name: process-target-parent-pe-imports
-  description: List of all imported functions
-  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-    }'
-  flat_name: process.target.parent.pe.imports
-  level: extended
-  name: imports
+source.geo.country_name:
+  dashed_name: source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
   normalize: []
-  original_fieldset: pe
-  short: List of all imported functions
-  type: flattened
-process.target.parent.pe.machine_type:
-  dashed_name: process-target-parent-pe-machine-type
-  description: Machine type of the PE file.
-  example: Intel 386 or later, and compatibles
-  flat_name: process.target.parent.pe.machine_type
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+source.geo.location:
+  dashed_name: source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+source.geo.name:
+  dashed_name: source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: source.geo.name
   ignore_above: 1024
   level: extended
-  name: machine_type
+  name: name
   normalize: []
-  original_fieldset: pe
-  short: Machine type of the PE file.
+  original_fieldset: geo
+  short: User-defined description of a location.
   type: keyword
-process.target.parent.pe.original_file_name:
-  dashed_name: process-target-parent-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.target.parent.pe.original_file_name
+source.geo.postal_code:
+  dashed_name: source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: source.geo.postal_code
   ignore_above: 1024
-  level: extended
-  name: original_file_name
+  level: core
+  name: postal_code
   normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
+  original_fieldset: geo
+  short: Postal code.
   type: keyword
-process.target.parent.pe.packers:
-  dashed_name: process-target-parent-pe-packers
-  description: List of packers and tools used.
-  example: '["ASPack v2.12", ".NET executable"]'
-  flat_name: process.target.parent.pe.packers
+source.geo.region_iso_code:
+  dashed_name: source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: source.geo.region_iso_code
   ignore_above: 1024
-  level: extended
-  name: packers
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of packers and tools used.
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
   type: keyword
-process.target.parent.pe.product:
-  dashed_name: process-target-parent-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: "Microsoft\xAE Windows\xAE Operating System"
-  flat_name: process.target.parent.pe.product
+source.geo.region_name:
+  dashed_name: source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: source.geo.region_name
   ignore_above: 1024
-  level: extended
-  name: product
+  level: core
+  name: region_name
   normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
+  original_fieldset: geo
+  short: Region name.
   type: keyword
-process.target.parent.pe.resources:
-  dashed_name: process-target-parent-pe-resources
-  description: 'An array containing an object for each PE resource, if present.
+source.geo.timezone:
+  dashed_name: source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+source.ip:
+  dashed_name: source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: source.ip
+  level: core
+  name: ip
+  normalize: []
+  short: IP address of the source.
+  type: ip
+source.mac:
+  dashed_name: source-mac
+  description: 'MAC address of the source.
 
-    The expected fields for this nested object fall under the `resources.` prefix.'
-  flat_name: process.target.parent.pe.resources
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  short: MAC address of the source.
+  type: keyword
+source.nat.ip:
+  dashed_name: source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: source.nat.ip
   level: extended
-  name: resources
-  normalize:
-  - array
-  original_fieldset: pe
-  short: PE resource information
-  type: nested
-process.target.parent.pe.resources.chi2:
-  dashed_name: process-target-parent-pe-resources-chi2
-  description: Chi-square probability distribution.
-  example: -1
-  flat_name: process.target.parent.pe.resources.chi2
+  name: nat.ip
+  normalize: []
+  short: Source NAT ip
+  type: ip
+source.nat.port:
+  dashed_name: source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: source.nat.port
+  format: string
   level: extended
-  name: resources.chi2
+  name: nat.port
   normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
+  short: Source NAT port
   type: long
-process.target.parent.pe.resources.entropy:
-  dashed_name: process-target-parent-pe-resources-entropy
-  description: Measurement of entropy randomness in the resources section.
-  example: 0, 1
-  flat_name: process.target.parent.pe.resources.entropy
-  level: extended
-  name: resources.entropy
+source.packets:
+  dashed_name: source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: source.packets
+  level: core
+  name: packets
   normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the resources section.
+  short: Packets sent from the source to the destination.
   type: long
-process.target.parent.pe.resources.filetype:
-  dashed_name: process-target-parent-pe-resources-filetype
-  description: File type of the resources section.
-  example: Data
-  flat_name: process.target.parent.pe.resources.filetype
+source.port:
+  dashed_name: source-port
+  description: Port of the source.
+  flat_name: source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  short: Port of the source.
+  type: long
+source.registered_domain:
+  dashed_name: source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: source.registered_domain
   ignore_above: 1024
   level: extended
-  name: resources.filetype
+  name: registered_domain
   normalize: []
-  original_fieldset: pe
-  short: File type of the resources section.
+  short: The highest registered source domain, stripped of the subdomain.
   type: keyword
-process.target.parent.pe.resources.language:
-  dashed_name: process-target-parent-pe-resources-language
-  description: Language identification.
-  example: CHINESE SIMPLIFIED
-  flat_name: process.target.parent.pe.resources.language
+source.subdomain:
+  dashed_name: source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: source.subdomain
   ignore_above: 1024
   level: extended
-  name: resources.language
+  name: subdomain
   normalize: []
-  original_fieldset: pe
-  short: Language identification.
+  short: The subdomain of the domain.
   type: keyword
-process.target.parent.pe.resources.sha256:
-  dashed_name: process-target-parent-pe-resources-sha256
-  description: SHA256 hash of resources section.
-  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-  flat_name: process.target.parent.pe.resources.sha256
+source.top_level_domain:
+  dashed_name: source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: source.top_level_domain
   ignore_above: 1024
   level: extended
-  name: resources.sha256
+  name: top_level_domain
   normalize: []
-  original_fieldset: pe
-  short: SHA256 hash of resources section.
+  short: The effective top level domain (com, org, net, co.uk).
   type: keyword
-process.target.parent.pe.resources.type:
-  dashed_name: process-target-parent-pe-resources-type
-  description: Digest of resource types.
-  example: '["RT_VERSION", "RT_MANIFEST"]'
-  flat_name: process.target.parent.pe.resources.type
+source.user.domain:
+  dashed_name: source-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: source.user.domain
   ignore_above: 1024
   level: extended
-  name: resources.type
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of resource types.
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
   type: keyword
-process.target.parent.pe.rich_header.hash.md5:
-  dashed_name: process-target-parent-pe-rich-header-hash-md5
-  description: MD5 hash of the header for the PE file.
-  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-  flat_name: process.target.parent.pe.rich_header.hash.md5
+source.user.email:
+  dashed_name: source-user-email
+  description: User email address.
+  flat_name: source.user.email
   ignore_above: 1024
   level: extended
-  name: rich_header.hash.md5
+  name: email
   normalize: []
-  original_fieldset: pe
-  short: MD5 hash of the header for the PE file.
+  original_fieldset: user
+  short: User email address.
   type: keyword
-process.target.parent.pe.sections:
-  dashed_name: process-target-parent-pe-sections
-  description: Data about sections of compiled binary PE
-  flat_name: process.target.parent.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Data about sections of the compiled binary PE
-  type: nested
-process.target.parent.pe.sections.chi2:
-  dashed_name: process-target-parent-pe-sections-chi2
-  description: Chi-square probability distribution.
-  example: 3027194
-  flat_name: process.target.parent.pe.sections.chi2
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
-  type: long
-process.target.parent.pe.sections.entropy:
-  dashed_name: process-target-parent-pe-sections-entropy
-  description: Measurement of entropy randomness in the file.
-  example: 6.24
-  flat_name: process.target.parent.pe.sections.entropy
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the file.
-  type: float
-process.target.parent.pe.sections.flags:
-  dashed_name: process-target-parent-pe-sections-flags
-  description: Section flags of the file.
-  example: rx
-  flat_name: process.target.parent.pe.sections.flags
+source.user.full_name:
+  dashed_name: source-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: source.user.full_name
   ignore_above: 1024
   level: extended
-  name: sections.flags
+  multi_fields:
+  - flat_name: source.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
   normalize: []
-  original_fieldset: pe
-  short: Section flags of the file.
+  original_fieldset: user
+  short: User's full name, if available.
   type: keyword
-process.target.parent.pe.sections.name:
-  dashed_name: process-target-parent-pe-sections-name
-  description: Section names of the file.
-  example: .text, .data
-  flat_name: process.target.parent.pe.sections.name
+source.user.group.domain:
+  dashed_name: source-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: source.user.group.domain
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: domain
   normalize: []
-  original_fieldset: pe
-  short: Section names of the file.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.target.parent.pe.sections.raw_size:
-  dashed_name: process-target-parent-pe-sections-raw-size
-  description: Size of the section or the dize of the initialized data on disk.
-  example: 198144
-  flat_name: process.target.parent.pe.sections.raw_size
-  format: bytes
-  level: extended
-  name: sections.raw_size
-  normalize: []
-  original_fieldset: pe
-  short: Size of the section or the dize of the initialized data on disk.
-  type: long
-process.target.parent.pe.sections.virtual_address:
-  dashed_name: process-target-parent-pe-sections-virtual-address
-  description: Virtual address available to the file.
-  example: 8192
-  flat_name: process.target.parent.pe.sections.virtual_address
-  format: bytes
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: pe
-  short: Virtual address available to the file.
-  type: long
-process.target.parent.pgid:
-  dashed_name: process-target-parent-pgid
-  description: Identifier of the group of processes the process belongs to.
-  flat_name: process.target.parent.pgid
-  format: string
-  level: extended
-  name: pgid
-  normalize: []
-  original_fieldset: process
-  short: Identifier of the group of processes the process belongs to.
-  type: long
-process.target.parent.pid:
-  dashed_name: process-target-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.target.parent.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.target.parent.ppid:
-  dashed_name: process-target-parent-ppid
-  description: Parent process' pid.
-  example: 4241
-  flat_name: process.target.parent.ppid
-  format: string
-  level: extended
-  name: ppid
-  normalize: []
-  original_fieldset: process
-  short: Parent process' pid.
-  type: long
-process.target.parent.start:
-  dashed_name: process-target-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.target.parent.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.target.parent.thread.id:
-  dashed_name: process-target-parent-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.target.parent.thread.id
-  format: string
+source.user.group.id:
+  dashed_name: source-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: source.user.group.id
+  ignore_above: 1024
   level: extended
-  name: thread.id
+  name: id
   normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.target.parent.thread.name:
-  dashed_name: process-target-parent-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.target.parent.thread.name
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+source.user.group.name:
+  dashed_name: source-user-group-name
+  description: Name of the group.
+  flat_name: source.user.group.name
   ignore_above: 1024
   level: extended
-  name: thread.name
+  name: name
   normalize: []
-  original_fieldset: process
-  short: Thread name.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.target.parent.title:
-  dashed_name: process-target-parent-title
-  description: 'Process title.
+source.user.hash:
+  dashed_name: source-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
 
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.target.parent.title
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: source.user.hash
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.target.parent.title.text
-    name: text
-    type: match_only_text
-  name: title
+  name: hash
   normalize: []
-  original_fieldset: process
-  short: Process title.
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
   type: keyword
-process.target.parent.uptime:
-  dashed_name: process-target-parent-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.target.parent.uptime
-  level: extended
-  name: uptime
+source.user.id:
+  dashed_name: source-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: source.user.id
+  ignore_above: 1024
+  level: core
+  name: id
   normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.target.parent.working_directory:
-  dashed_name: process-target-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.target.parent.working_directory
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+source.user.name:
+  dashed_name: source-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: source.user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.target.parent.working_directory.text
+  - flat_name: source.user.name.text
     name: text
     type: match_only_text
-  name: working_directory
+  name: name
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.target.pe.architecture:
-  dashed_name: process-target-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.target.pe.architecture
+source.user.roles:
+  dashed_name: source-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: source.user.roles
   ignore_above: 1024
   level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
   type: keyword
-process.target.pe.authentihash:
-  dashed_name: process-target-pe-authentihash
-  description: Authentihash of the PE file.
-  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-  flat_name: process.target.pe.authentihash
+span.id:
+  dashed_name: span-id
+  description: 'Unique identifier of the span within the scope of its trace.
+
+    A span represents an operation within a transaction, such as a request to another
+    service, or a database query.'
+  example: 3ff9a8981b7ccd5a
+  flat_name: span.id
   ignore_above: 1024
   level: extended
-  name: authentihash
+  name: span.id
   normalize: []
-  original_fieldset: pe
-  short: Authentihash of the PE file.
+  short: Unique identifier of the span within the scope of its trace.
   type: keyword
-process.target.pe.company:
-  dashed_name: process-target-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.target.pe.company
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
   ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
   type: keyword
-process.target.pe.compile_timestamp:
-  dashed_name: process-target-pe-compile-timestamp
-  description: Compile timestamp of the PE file.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: process.target.pe.compile_timestamp
-  level: extended
-  name: compile_timestamp
-  normalize: []
-  original_fieldset: pe
-  short: Compile timestamp of the PE file.
-  type: date
-process.target.pe.compiler.name:
-  dashed_name: process-target-pe-compiler-name
-  description: Name of the compiler
-  example: Clang
-  flat_name: process.target.pe.compiler.name
-  ignore_above: 1024
-  level: extended
-  name: compiler.name
-  normalize: []
-  original_fieldset: pe
-  short: Name of the compiler
-  type: keyword
-process.target.pe.compiler.version:
-  dashed_name: process-target-pe-compiler-version
-  description: Version of the compiler.
-  example: 11.0.0
-  flat_name: process.target.pe.compiler.version
-  ignore_above: 1024
-  level: extended
-  name: compiler.version
-  normalize: []
-  original_fieldset: pe
-  short: Version of the compiler.
-  type: keyword
-process.target.pe.creation_date:
-  dashed_name: process-target-pe-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: process.target.pe.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: pe
-  short: Build or compile date.
-  type: date
-process.target.pe.debug:
-  dashed_name: process-target-pe-debug
-  description: 'An array containing an object for each debug entry, if present.
-
-    The expected fields for this nested object fall under the `debug.` prefix.'
-  flat_name: process.target.pe.debug
+threat.enrichments:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments
+  description: A list of associated indicators objects enriching the event, and the
+    context of that association/enrichment.
+  flat_name: threat.enrichments
   level: extended
-  name: debug
+  name: enrichments
   normalize:
   - array
-  original_fieldset: pe
-  short: Debug information
+  short: List of objects containing indicators enriching the event.
   type: nested
-process.target.pe.debug.offset:
-  dashed_name: process-target-pe-debug-offset
-  description: Debug offset information.
-  example: 1296336
-  flat_name: process.target.pe.debug.offset
-  ignore_above: 1024
+threat.enrichments.indicator:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator
+  description: Object containing associated indicators enriching the event.
+  flat_name: threat.enrichments.indicator
   level: extended
-  name: debug.offset
+  name: enrichments.indicator
   normalize: []
-  original_fieldset: pe
-  short: Debug offset information.
-  type: keyword
-process.target.pe.debug.size:
-  dashed_name: process-target-pe-debug-size
-  description: Size of the debug information.
-  example: 816
-  flat_name: process.target.pe.debug.size
-  format: bytes
+  short: Object containing indicators enriching the event.
+  type: object
+threat.enrichments.indicator.as.number:
+  dashed_name: threat-enrichments-indicator-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: threat.enrichments.indicator.as.number
   level: extended
-  name: debug.size
+  name: number
   normalize: []
-  original_fieldset: pe
-  short: Size of the debug information.
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
   type: long
-process.target.pe.debug.timestamp:
-  dashed_name: process-target-pe-debug-timestamp
-  description: Timestamp of the debug information.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: process.target.pe.debug.timestamp
+threat.enrichments.indicator.as.organization.name:
+  dashed_name: threat-enrichments-indicator-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: threat.enrichments.indicator.as.organization.name
+  ignore_above: 1024
   level: extended
-  name: debug.timestamp
+  multi_fields:
+  - flat_name: threat.enrichments.indicator.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
   normalize: []
-  original_fieldset: pe
-  short: Timestamp of the debug information.
-  type: date
-process.target.pe.debug.type:
-  dashed_name: process-target-pe-debug-type
-  description: Information type generated by the debug options.
-  example: IMAGE_DEBUG_TYPE_POGO
-  flat_name: process.target.pe.debug.type
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+threat.enrichments.indicator.confidence:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-confidence
+  description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the None/Low/Medium/High\_\
+    scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence\
+    \ scales may be added as custom fields.\nExpected values are:\n  * Not Specified\n\
+    \  * None\n  * Low\n  * Medium\n  * High"
+  example: Medium
+  flat_name: threat.enrichments.indicator.confidence
   ignore_above: 1024
   level: extended
-  name: debug.type
+  name: enrichments.indicator.confidence
   normalize: []
-  original_fieldset: pe
-  short: Information type generated by the debug options.
+  short: Indicator confidence rating
   type: keyword
-process.target.pe.description:
-  dashed_name: process-target-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.target.pe.description
+threat.enrichments.indicator.description:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-description
+  description: Describes the type of action conducted by the threat.
+  example: IP x.x.x.x was observed delivering the Angler EK.
+  flat_name: threat.enrichments.indicator.description
   ignore_above: 1024
   level: extended
-  name: description
+  name: enrichments.indicator.description
   normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
+  short: Indicator description
   type: keyword
-process.target.pe.entry_point:
-  dashed_name: process-target-pe-entry-point
-  description: Relative byte offset to the base of the PE file.
-  example: 25856
-  flat_name: process.target.pe.entry_point
+threat.enrichments.indicator.email.address:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-email-address
+  description: Identifies a threat indicator as an email address (irrespective of
+    direction).
+  example: phish@example.com
+  flat_name: threat.enrichments.indicator.email.address
   ignore_above: 1024
   level: extended
-  name: entry_point
+  name: enrichments.indicator.email.address
   normalize: []
-  original_fieldset: pe
-  short: Relative byte offset to the base of the PE file.
+  short: Indicator email address
   type: keyword
-process.target.pe.exports:
-  dashed_name: process-target-pe-exports
-  description: List of symbols exported by PE
-  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-  flat_name: process.target.pe.exports
+threat.enrichments.indicator.file.accessed:
+  dashed_name: threat-enrichments-indicator-file-accessed
+  description: 'Last time the file was accessed.
+
+    Note that not all filesystems keep track of access time.'
+  flat_name: threat.enrichments.indicator.file.accessed
+  level: extended
+  name: accessed
+  normalize: []
+  original_fieldset: file
+  short: Last time the file was accessed.
+  type: date
+threat.enrichments.indicator.file.attributes:
+  dashed_name: threat-enrichments-indicator-file-attributes
+  description: 'Array of file attributes.
+
+    Attributes names will vary by platform. Here''s a non-exhaustive list of values
+    that are expected in this field: archive, compressed, directory, encrypted, execute,
+    hidden, read, readonly, system, write.'
+  example: '["readonly", "system"]'
+  flat_name: threat.enrichments.indicator.file.attributes
   ignore_above: 1024
   level: extended
-  name: exports
+  name: attributes
   normalize:
   - array
-  original_fieldset: pe
-  short: List of symbols exported by PE
+  original_fieldset: file
+  short: Array of file attributes.
   type: keyword
-process.target.pe.file_version:
-  dashed_name: process-target-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.target.pe.file_version
+threat.enrichments.indicator.file.code_signature.digest_algorithm:
+  dashed_name: threat-enrichments-indicator-file-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: threat.enrichments.indicator.file.code_signature.digest_algorithm
   ignore_above: 1024
   level: extended
-  name: file_version
+  name: digest_algorithm
   normalize: []
-  original_fieldset: pe
-  short: Process name.
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
   type: keyword
-process.target.pe.icon.hash.dhash:
-  dashed_name: process-target-pe-icon-hash-dhash
-  description: Difference Hash (dhash) to find files with a visually similar icon
-    or thumbnail.
-  example: b806e17c8e330d82
-  flat_name: process.target.pe.icon.hash.dhash
+threat.enrichments.indicator.file.code_signature.exists:
+  dashed_name: threat-enrichments-indicator-file-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: threat.enrichments.indicator.file.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+threat.enrichments.indicator.file.code_signature.signing_id:
+  dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: threat.enrichments.indicator.file.code_signature.signing_id
   ignore_above: 1024
   level: extended
-  name: icon.hash.dhash
+  name: signing_id
   normalize: []
-  original_fieldset: pe
-  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
   type: keyword
-process.target.pe.imphash:
-  dashed_name: process-target-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
+threat.enrichments.indicator.file.code_signature.status:
+  dashed_name: threat-enrichments-indicator-file-code-signature-status
+  description: 'Additional information about the certificate status.
 
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.target.pe.imphash
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: threat.enrichments.indicator.file.code_signature.status
   ignore_above: 1024
   level: extended
-  name: imphash
+  name: status
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
   type: keyword
-process.target.pe.imports:
-  dashed_name: process-target-pe-imports
-  description: List of all imported functions
-  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-    }'
-  flat_name: process.target.pe.imports
-  level: extended
-  name: imports
-  normalize: []
-  original_fieldset: pe
-  short: List of all imported functions
-  type: flattened
-process.target.pe.machine_type:
-  dashed_name: process-target-pe-machine-type
-  description: Machine type of the PE file.
-  example: Intel 386 or later, and compatibles
-  flat_name: process.target.pe.machine_type
+threat.enrichments.indicator.file.code_signature.subject_name:
+  dashed_name: threat-enrichments-indicator-file-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: threat.enrichments.indicator.file.code_signature.subject_name
   ignore_above: 1024
-  level: extended
-  name: machine_type
+  level: core
+  name: subject_name
   normalize: []
-  original_fieldset: pe
-  short: Machine type of the PE file.
+  original_fieldset: code_signature
+  short: Subject name of the code signer
   type: keyword
-process.target.pe.original_file_name:
-  dashed_name: process-target-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.target.pe.original_file_name
+threat.enrichments.indicator.file.code_signature.team_id:
+  dashed_name: threat-enrichments-indicator-file-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: threat.enrichments.indicator.file.code_signature.team_id
   ignore_above: 1024
   level: extended
-  name: original_file_name
+  name: team_id
   normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
   type: keyword
-process.target.pe.packers:
-  dashed_name: process-target-pe-packers
-  description: List of packers and tools used.
-  example: '["ASPack v2.12", ".NET executable"]'
-  flat_name: process.target.pe.packers
-  ignore_above: 1024
+threat.enrichments.indicator.file.code_signature.timestamp:
+  dashed_name: threat-enrichments-indicator-file-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: threat.enrichments.indicator.file.code_signature.timestamp
   level: extended
-  name: packers
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of packers and tools used.
-  type: keyword
-process.target.pe.product:
-  dashed_name: process-target-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: "Microsoft\xAE Windows\xAE Operating System"
-  flat_name: process.target.pe.product
-  ignore_above: 1024
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+threat.enrichments.indicator.file.code_signature.trusted:
+  dashed_name: threat-enrichments-indicator-file-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: threat.enrichments.indicator.file.code_signature.trusted
   level: extended
-  name: product
+  name: trusted
   normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.target.pe.resources:
-  dashed_name: process-target-pe-resources
-  description: 'An array containing an object for each PE resource, if present.
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+threat.enrichments.indicator.file.code_signature.valid:
+  dashed_name: threat-enrichments-indicator-file-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
 
-    The expected fields for this nested object fall under the `resources.` prefix.'
-  flat_name: process.target.pe.resources
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: threat.enrichments.indicator.file.code_signature.valid
   level: extended
-  name: resources
-  normalize:
-  - array
-  original_fieldset: pe
-  short: PE resource information
-  type: nested
-process.target.pe.resources.chi2:
-  dashed_name: process-target-pe-resources-chi2
-  description: Chi-square probability distribution.
-  example: -1
-  flat_name: process.target.pe.resources.chi2
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+threat.enrichments.indicator.file.created:
+  dashed_name: threat-enrichments-indicator-file-created
+  description: 'File creation time.
+
+    Note that not all filesystems store the creation time.'
+  flat_name: threat.enrichments.indicator.file.created
   level: extended
-  name: resources.chi2
+  name: created
   normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
-  type: long
-process.target.pe.resources.entropy:
-  dashed_name: process-target-pe-resources-entropy
-  description: Measurement of entropy randomness in the resources section.
-  example: 0, 1
-  flat_name: process.target.pe.resources.entropy
+  original_fieldset: file
+  short: File creation time.
+  type: date
+threat.enrichments.indicator.file.ctime:
+  dashed_name: threat-enrichments-indicator-file-ctime
+  description: 'Last time the file attributes or metadata changed.
+
+    Note that changes to the file content will update `mtime`. This implies `ctime`
+    will be adjusted at the same time, since `mtime` is an attribute of the file.'
+  flat_name: threat.enrichments.indicator.file.ctime
   level: extended
-  name: resources.entropy
+  name: ctime
   normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the resources section.
-  type: long
-process.target.pe.resources.filetype:
-  dashed_name: process-target-pe-resources-filetype
-  description: File type of the resources section.
-  example: Data
-  flat_name: process.target.pe.resources.filetype
+  original_fieldset: file
+  short: Last time the file attributes or metadata changed.
+  type: date
+threat.enrichments.indicator.file.device:
+  dashed_name: threat-enrichments-indicator-file-device
+  description: Device that is the source of the file.
+  example: sda
+  flat_name: threat.enrichments.indicator.file.device
   ignore_above: 1024
   level: extended
-  name: resources.filetype
+  name: device
   normalize: []
-  original_fieldset: pe
-  short: File type of the resources section.
+  original_fieldset: file
+  short: Device that is the source of the file.
   type: keyword
-process.target.pe.resources.language:
-  dashed_name: process-target-pe-resources-language
-  description: Language identification.
-  example: CHINESE SIMPLIFIED
-  flat_name: process.target.pe.resources.language
+threat.enrichments.indicator.file.directory:
+  dashed_name: threat-enrichments-indicator-file-directory
+  description: Directory where the file is located. It should include the drive letter,
+    when appropriate.
+  example: /home/alice
+  flat_name: threat.enrichments.indicator.file.directory
   ignore_above: 1024
   level: extended
-  name: resources.language
+  name: directory
   normalize: []
-  original_fieldset: pe
-  short: Language identification.
+  original_fieldset: file
+  short: Directory where the file is located.
   type: keyword
-process.target.pe.resources.sha256:
-  dashed_name: process-target-pe-resources-sha256
-  description: SHA256 hash of resources section.
-  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-  flat_name: process.target.pe.resources.sha256
-  ignore_above: 1024
+threat.enrichments.indicator.file.drive_letter:
+  dashed_name: threat-enrichments-indicator-file-drive-letter
+  description: 'Drive letter where the file is located. This field is only relevant
+    on Windows.
+
+    The value should be uppercase, and not include the colon.'
+  example: C
+  flat_name: threat.enrichments.indicator.file.drive_letter
+  ignore_above: 1
   level: extended
-  name: resources.sha256
+  name: drive_letter
   normalize: []
-  original_fieldset: pe
-  short: SHA256 hash of resources section.
+  original_fieldset: file
+  short: Drive letter where the file is located.
   type: keyword
-process.target.pe.resources.type:
-  dashed_name: process-target-pe-resources-type
-  description: Digest of resource types.
-  example: '["RT_VERSION", "RT_MANIFEST"]'
-  flat_name: process.target.pe.resources.type
+threat.enrichments.indicator.file.elf.architecture:
+  dashed_name: threat-enrichments-indicator-file-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: threat.enrichments.indicator.file.elf.architecture
   ignore_above: 1024
   level: extended
-  name: resources.type
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of resource types.
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
   type: keyword
-process.target.pe.rich_header.hash.md5:
-  dashed_name: process-target-pe-rich-header-hash-md5
-  description: MD5 hash of the header for the PE file.
-  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-  flat_name: process.target.pe.rich_header.hash.md5
+threat.enrichments.indicator.file.elf.byte_order:
+  dashed_name: threat-enrichments-indicator-file-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: threat.enrichments.indicator.file.elf.byte_order
   ignore_above: 1024
   level: extended
-  name: rich_header.hash.md5
+  name: byte_order
   normalize: []
-  original_fieldset: pe
-  short: MD5 hash of the header for the PE file.
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
   type: keyword
-process.target.pe.sections:
-  dashed_name: process-target-pe-sections
-  description: Data about sections of compiled binary PE
-  flat_name: process.target.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Data about sections of the compiled binary PE
-  type: nested
-process.target.pe.sections.chi2:
-  dashed_name: process-target-pe-sections-chi2
-  description: Chi-square probability distribution.
-  example: 3027194
-  flat_name: process.target.pe.sections.chi2
+threat.enrichments.indicator.file.elf.cpu_type:
+  dashed_name: threat-enrichments-indicator-file-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: threat.enrichments.indicator.file.elf.cpu_type
+  ignore_above: 1024
   level: extended
-  name: sections.chi2
+  name: cpu_type
   normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
-  type: long
-process.target.pe.sections.entropy:
-  dashed_name: process-target-pe-sections-entropy
-  description: Measurement of entropy randomness in the file.
-  example: 6.24
-  flat_name: process.target.pe.sections.entropy
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+threat.enrichments.indicator.file.elf.creation_date:
+  dashed_name: threat-enrichments-indicator-file-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: threat.enrichments.indicator.file.elf.creation_date
   level: extended
-  name: sections.entropy
+  name: creation_date
   normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the file.
-  type: float
-process.target.pe.sections.flags:
-  dashed_name: process-target-pe-sections-flags
-  description: Section flags of the file.
-  example: rx
-  flat_name: process.target.pe.sections.flags
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+threat.enrichments.indicator.file.elf.exports:
+  dashed_name: threat-enrichments-indicator-file-elf-exports
+  description: List of exported element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+threat.enrichments.indicator.file.elf.header.abi_version:
+  dashed_name: threat-enrichments-indicator-file-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: threat.enrichments.indicator.file.elf.header.abi_version
   ignore_above: 1024
   level: extended
-  name: sections.flags
+  name: header.abi_version
   normalize: []
-  original_fieldset: pe
-  short: Section flags of the file.
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
   type: keyword
-process.target.pe.sections.name:
-  dashed_name: process-target-pe-sections-name
-  description: Section names of the file.
-  example: .text, .data
-  flat_name: process.target.pe.sections.name
+threat.enrichments.indicator.file.elf.header.class:
+  dashed_name: threat-enrichments-indicator-file-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: threat.enrichments.indicator.file.elf.header.class
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: header.class
   normalize: []
-  original_fieldset: pe
-  short: Section names of the file.
+  original_fieldset: elf
+  short: Header class of the ELF file.
   type: keyword
-process.target.pe.sections.raw_size:
-  dashed_name: process-target-pe-sections-raw-size
-  description: Size of the section or the dize of the initialized data on disk.
-  example: 198144
-  flat_name: process.target.pe.sections.raw_size
-  format: bytes
-  level: extended
-  name: sections.raw_size
-  normalize: []
-  original_fieldset: pe
-  short: Size of the section or the dize of the initialized data on disk.
-  type: long
-process.target.pe.sections.virtual_address:
-  dashed_name: process-target-pe-sections-virtual-address
-  description: Virtual address available to the file.
-  example: 8192
-  flat_name: process.target.pe.sections.virtual_address
-  format: bytes
+threat.enrichments.indicator.file.elf.header.data:
+  dashed_name: threat-enrichments-indicator-file-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: threat.enrichments.indicator.file.elf.header.data
+  ignore_above: 1024
   level: extended
-  name: sections.virtual_address
+  name: header.data
   normalize: []
-  original_fieldset: pe
-  short: Virtual address available to the file.
-  type: long
-process.target.pgid:
-  dashed_name: process-target-pgid
-  description: Identifier of the group of processes the process belongs to.
-  flat_name: process.target.pgid
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+threat.enrichments.indicator.file.elf.header.entrypoint:
+  dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: threat.enrichments.indicator.file.elf.header.entrypoint
   format: string
   level: extended
-  name: pgid
-  normalize: []
-  original_fieldset: process
-  short: Identifier of the group of processes the process belongs to.
-  type: long
-process.target.pid:
-  dashed_name: process-target-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.target.pid
-  format: string
-  level: core
-  name: pid
+  name: header.entrypoint
   normalize: []
-  original_fieldset: process
-  short: Process id.
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
   type: long
-process.target.ppid:
-  dashed_name: process-target-ppid
-  description: Parent process' pid.
-  example: 4241
-  flat_name: process.target.ppid
-  format: string
+threat.enrichments.indicator.file.elf.header.object_version:
+  dashed_name: threat-enrichments-indicator-file-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: threat.enrichments.indicator.file.elf.header.object_version
+  ignore_above: 1024
   level: extended
-  name: ppid
+  name: header.object_version
   normalize: []
-  original_fieldset: process
-  short: Parent process' pid.
-  type: long
-process.target.start:
-  dashed_name: process-target-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.target.start
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+threat.enrichments.indicator.file.elf.header.os_abi:
+  dashed_name: threat-enrichments-indicator-file-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: threat.enrichments.indicator.file.elf.header.os_abi
+  ignore_above: 1024
   level: extended
-  name: start
+  name: header.os_abi
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.target.thread.id:
-  dashed_name: process-target-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.target.thread.id
-  format: string
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+threat.enrichments.indicator.file.elf.header.type:
+  dashed_name: threat-enrichments-indicator-file-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: threat.enrichments.indicator.file.elf.header.type
+  ignore_above: 1024
   level: extended
-  name: thread.id
+  name: header.type
   normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.target.thread.name:
-  dashed_name: process-target-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.target.thread.name
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+threat.enrichments.indicator.file.elf.header.version:
+  dashed_name: threat-enrichments-indicator-file-elf-header-version
+  description: Version of the ELF header.
+  flat_name: threat.enrichments.indicator.file.elf.header.version
   ignore_above: 1024
   level: extended
-  name: thread.name
+  name: header.version
   normalize: []
-  original_fieldset: process
-  short: Thread name.
+  original_fieldset: elf
+  short: Version of the ELF header.
   type: keyword
-process.target.title:
-  dashed_name: process-target-title
-  description: 'Process title.
+threat.enrichments.indicator.file.elf.imports:
+  dashed_name: threat-enrichments-indicator-file-elf-imports
+  description: List of imported element names and types.
+  flat_name: threat.enrichments.indicator.file.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+threat.enrichments.indicator.file.elf.sections:
+  dashed_name: threat-enrichments-indicator-file-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
 
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.target.title
-  ignore_above: 1024
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: threat.enrichments.indicator.file.elf.sections
   level: extended
-  multi_fields:
-  - flat_name: process.target.title.text
-    name: text
-    type: match_only_text
-  name: title
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+threat.enrichments.indicator.file.elf.sections.chi2:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: threat.enrichments.indicator.file.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
   normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.target.uptime:
-  dashed_name: process-target-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.target.uptime
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+threat.enrichments.indicator.file.elf.sections.entropy:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: threat.enrichments.indicator.file.elf.sections.entropy
+  format: number
   level: extended
-  name: uptime
+  name: sections.entropy
   normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
   type: long
-process.target.working_directory:
-  dashed_name: process-target-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.target.working_directory
+threat.enrichments.indicator.file.elf.sections.flags:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: threat.enrichments.indicator.file.elf.sections.flags
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.target.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
+  name: sections.flags
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: elf
+  short: ELF Section List flags.
   type: keyword
-process.thread.id:
-  dashed_name: process-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  short: Thread ID.
-  type: long
-process.thread.name:
-  dashed_name: process-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.thread.name
+threat.enrichments.indicator.file.elf.sections.name:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-name
+  description: ELF Section List name.
+  flat_name: threat.enrichments.indicator.file.elf.sections.name
   ignore_above: 1024
   level: extended
-  name: thread.name
+  name: sections.name
   normalize: []
-  short: Thread name.
+  original_fieldset: elf
+  short: ELF Section List name.
   type: keyword
-process.title:
-  dashed_name: process-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.title
+threat.enrichments.indicator.file.elf.sections.physical_offset:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.title.text
-    name: text
-    type: match_only_text
-  name: title
+  name: sections.physical_offset
   normalize: []
-  short: Process title.
+  original_fieldset: elf
+  short: ELF Section List offset.
   type: keyword
-process.uptime:
-  dashed_name: process-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.uptime
+threat.enrichments.indicator.file.elf.sections.physical_size:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: threat.enrichments.indicator.file.elf.sections.physical_size
+  format: bytes
   level: extended
-  name: uptime
+  name: sections.physical_size
   normalize: []
-  short: Seconds the process has been up.
+  original_fieldset: elf
+  short: ELF Section List physical size.
   type: long
-process.working_directory:
-  dashed_name: process-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.working_directory
+threat.enrichments.indicator.file.elf.sections.type:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-type
+  description: ELF Section List type.
+  flat_name: threat.enrichments.indicator.file.elf.sections.type
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
+  name: sections.type
   normalize: []
-  short: The working directory of the process.
+  original_fieldset: elf
+  short: ELF Section List type.
   type: keyword
-registry.data.bytes:
-  dashed_name: registry-data-bytes
-  description: 'Original bytes written with base64 encoding.
-
-    For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-    corresponds to the data pointed by `lp_data`. This is optional but provides better
-    recoverability and should be populated for REG_BINARY encoded values.'
-  example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-  flat_name: registry.data.bytes
-  ignore_above: 1024
-  level: extended
-  name: data.bytes
-  normalize: []
-  short: Original bytes written with base64 encoding.
-  type: keyword
-registry.data.strings:
-  dashed_name: registry-data-strings
-  description: 'Content when writing string types.
-
-    Populated as an array when writing string data to the registry. For single string
-    registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string.
-    For sequences of string with REG_MULTI_SZ, this array will be variable length.
-    For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with
-    the decimal representation (e.g `"1"`).'
-  example: '["C:\rta\red_ttp\bin\myapp.exe"]'
-  flat_name: registry.data.strings
-  level: core
-  name: data.strings
-  normalize:
-  - array
-  short: List of strings representing what was written to the registry.
-  type: wildcard
-registry.data.type:
-  dashed_name: registry-data-type
-  description: Standard registry type for encoding contents
-  example: REG_SZ
-  flat_name: registry.data.type
-  ignore_above: 1024
-  level: core
-  name: data.type
-  normalize: []
-  short: Standard registry type for encoding contents
-  type: keyword
-registry.hive:
-  dashed_name: registry-hive
-  description: Abbreviated name for the hive.
-  example: HKLM
-  flat_name: registry.hive
-  ignore_above: 1024
-  level: core
-  name: hive
-  normalize: []
-  short: Abbreviated name for the hive.
-  type: keyword
-registry.key:
-  dashed_name: registry-key
-  description: Hive-relative path of keys.
-  example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-  flat_name: registry.key
-  ignore_above: 1024
-  level: core
-  name: key
-  normalize: []
-  short: Hive-relative path of keys.
-  type: keyword
-registry.path:
-  dashed_name: registry-path
-  description: Full path, including hive, key and value
-  example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-    Options\winword.exe\Debugger
-  flat_name: registry.path
-  ignore_above: 1024
-  level: core
-  name: path
-  normalize: []
-  short: Full path, including hive, key and value
-  type: keyword
-registry.value:
-  dashed_name: registry-value
-  description: Name of the value written.
-  example: Debugger
-  flat_name: registry.value
-  ignore_above: 1024
-  level: core
-  name: value
-  normalize: []
-  short: Name of the value written.
-  type: keyword
-related.hash:
-  dashed_name: related-hash
-  description: All the hashes seen on your event. Populating this field, then using
-    it to search for hashes can help in situations where you're unsure what the hash
-    algorithm is (and therefore which key name to search).
-  flat_name: related.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize:
-  - array
-  short: All the hashes seen on your event.
-  type: keyword
-related.hosts:
-  dashed_name: related-hosts
-  description: All hostnames or other host identifiers seen on your event. Example
-    identifiers include FQDNs, domain names, workstation names, or aliases.
-  flat_name: related.hosts
-  ignore_above: 1024
-  level: extended
-  name: hosts
-  normalize:
-  - array
-  short: All the host identifiers seen on your event.
-  type: keyword
-related.ip:
-  dashed_name: related-ip
-  description: All of the IPs seen on your event.
-  flat_name: related.ip
-  level: extended
-  name: ip
-  normalize:
-  - array
-  short: All of the IPs seen on your event.
-  type: ip
-related.user:
-  dashed_name: related-user
-  description: All the user names or other user identifiers seen on the event.
-  flat_name: related.user
-  ignore_above: 1024
-  level: extended
-  name: user
-  normalize:
-  - array
-  short: All the user names or other user identifiers seen on the event.
-  type: keyword
-rule.author:
-  dashed_name: rule-author
-  description: Name, organization, or pseudonym of the author or authors who created
-    the rule used to generate this event.
-  example: '["Star-Lord"]'
-  flat_name: rule.author
-  ignore_above: 1024
-  level: extended
-  name: author
-  normalize:
-  - array
-  short: Rule author
-  type: keyword
-rule.category:
-  dashed_name: rule-category
-  description: A categorization value keyword used by the entity using the rule for
-    detection of this event.
-  example: Attempted Information Leak
-  flat_name: rule.category
-  ignore_above: 1024
-  level: extended
-  name: category
-  normalize: []
-  short: Rule category
-  type: keyword
-rule.description:
-  dashed_name: rule-description
-  description: The description of the rule generating the event.
-  example: Block requests to public DNS over HTTPS / TLS protocols
-  flat_name: rule.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  short: Rule description
-  type: keyword
-rule.id:
-  dashed_name: rule-id
-  description: A rule ID that is unique within the scope of an agent, observer, or
-    other entity using the rule for detection of this event.
-  example: 101
-  flat_name: rule.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  short: Rule ID
-  type: keyword
-rule.license:
-  dashed_name: rule-license
-  description: Name of the license under which the rule used to generate this event
-    is made available.
-  example: Apache 2.0
-  flat_name: rule.license
-  ignore_above: 1024
-  level: extended
-  name: license
-  normalize: []
-  short: Rule license
-  type: keyword
-rule.name:
-  dashed_name: rule-name
-  description: The name of the rule or signature generating the event.
-  example: BLOCK_DNS_over_TLS
-  flat_name: rule.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  short: Rule name
-  type: keyword
-rule.reference:
-  dashed_name: rule-reference
-  description: 'Reference URL to additional information about the rule used to generate
-    this event.
-
-    The URL can point to the vendor''s documentation about the rule. If that''s not
-    available, it can also be a link to a more general page describing this type of
-    alert.'
-  example: https://en.wikipedia.org/wiki/DNS_over_TLS
-  flat_name: rule.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  short: Rule reference URL
-  type: keyword
-rule.ruleset:
-  dashed_name: rule-ruleset
-  description: Name of the ruleset, policy, group, or parent category in which the
-    rule used to generate this event is a member.
-  example: Standard_Protocol_Filters
-  flat_name: rule.ruleset
-  ignore_above: 1024
-  level: extended
-  name: ruleset
-  normalize: []
-  short: Rule ruleset
-  type: keyword
-rule.uuid:
-  dashed_name: rule-uuid
-  description: A rule ID that is unique within the scope of a set or group of agents,
-    observers, or other entities using the rule for detection of this event.
-  example: 1100110011
-  flat_name: rule.uuid
-  ignore_above: 1024
-  level: extended
-  name: uuid
-  normalize: []
-  short: Rule UUID
-  type: keyword
-rule.version:
-  dashed_name: rule-version
-  description: The version / revision of the rule being used for analysis.
-  example: 1.1
-  flat_name: rule.version
-  ignore_above: 1024
-  level: extended
-  name: version
-  normalize: []
-  short: Rule version
-  type: keyword
-server.address:
-  dashed_name: server-address
-  description: 'Some event server addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: server.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  short: Server network address.
-  type: keyword
-server.as.number:
-  dashed_name: server-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: server.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-server.as.organization.name:
-  dashed_name: server-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: server.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: server.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-server.bytes:
-  dashed_name: server-bytes
-  description: Bytes sent from the server to the client.
-  example: 184
-  flat_name: server.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  short: Bytes sent from the server to the client.
-  type: long
-server.domain:
-  dashed_name: server-domain
-  description: Server domain.
-  flat_name: server.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  short: Server domain.
-  type: keyword
-server.geo.city_name:
-  dashed_name: server-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: server.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-server.geo.continent_code:
-  dashed_name: server-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: server.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-server.geo.continent_name:
-  dashed_name: server-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: server.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-server.geo.country_iso_code:
-  dashed_name: server-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: server.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-server.geo.country_name:
-  dashed_name: server-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: server.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-server.geo.location:
-  dashed_name: server-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: server.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-server.geo.name:
-  dashed_name: server-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: server.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-server.geo.postal_code:
-  dashed_name: server-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: server.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-server.geo.region_iso_code:
-  dashed_name: server-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: server.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-server.geo.region_name:
-  dashed_name: server-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: server.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-server.geo.timezone:
-  dashed_name: server-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: server.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-server.ip:
-  dashed_name: server-ip
-  description: IP address of the server (IPv4 or IPv6).
-  flat_name: server.ip
-  level: core
-  name: ip
-  normalize: []
-  short: IP address of the server.
-  type: ip
-server.mac:
-  dashed_name: server-mac
-  description: 'MAC address of the server.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: server.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  short: MAC address of the server.
-  type: keyword
-server.nat.ip:
-  dashed_name: server-nat-ip
-  description: 'Translated ip of destination based NAT sessions (e.g. internet to
-    private DMZ)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: server.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  short: Server NAT ip
-  type: ip
-server.nat.port:
-  dashed_name: server-nat-port
-  description: 'Translated port of destination based NAT sessions (e.g. internet to
-    private DMZ)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: server.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  short: Server NAT port
-  type: long
-server.packets:
-  dashed_name: server-packets
-  description: Packets sent from the server to the client.
-  example: 12
-  flat_name: server.packets
-  level: core
-  name: packets
-  normalize: []
-  short: Packets sent from the server to the client.
-  type: long
-server.port:
-  dashed_name: server-port
-  description: Port of the server.
-  flat_name: server.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  short: Port of the server.
-  type: long
-server.registered_domain:
-  dashed_name: server-registered-domain
-  description: 'The highest registered server domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (http://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: server.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  short: The highest registered server domain, stripped of the subdomain.
-  type: keyword
-server.subdomain:
-  dashed_name: server-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: server.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  short: The subdomain of the domain.
-  type: keyword
-server.top_level_domain:
-  dashed_name: server-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (http://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: server.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-server.user.domain:
-  dashed_name: server-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: server.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-server.user.email:
-  dashed_name: server-user-email
-  description: User email address.
-  flat_name: server.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-server.user.full_name:
-  dashed_name: server-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: server.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: server.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-server.user.group.domain:
-  dashed_name: server-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: server.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-server.user.group.id:
-  dashed_name: server-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: server.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-server.user.group.name:
-  dashed_name: server-user-group-name
-  description: Name of the group.
-  flat_name: server.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-server.user.hash:
-  dashed_name: server-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: server.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-server.user.id:
-  dashed_name: server-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: server.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-server.user.name:
-  dashed_name: server-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: server.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: server.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-server.user.roles:
-  dashed_name: server-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: server.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  type: keyword
-service.address:
-  dashed_name: service-address
-  description: 'Address where data about this service was collected from.
-
-    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-    path (sockets).'
-  example: 172.26.0.2:5432
-  flat_name: service.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  short: Address of this service.
-  type: keyword
-service.environment:
-  beta: This field is beta and subject to change.
-  dashed_name: service-environment
-  description: 'Identifies the environment where the service is running.
-
-    If the same service runs in different environments (production, staging, QA, development,
-    etc.), the environment can identify other instances of the same service. Can also
-    group services and applications from the same environment.'
-  example: production
-  flat_name: service.environment
-  ignore_above: 1024
-  level: extended
-  name: environment
-  normalize: []
-  short: Environment of the service.
-  type: keyword
-service.ephemeral_id:
-  dashed_name: service-ephemeral-id
-  description: 'Ephemeral identifier of this service (if one exists).
-
-    This id normally changes across restarts, but `service.id` does not.'
-  example: 8a4f500f
-  flat_name: service.ephemeral_id
-  ignore_above: 1024
-  level: extended
-  name: ephemeral_id
-  normalize: []
-  short: Ephemeral identifier of this service.
-  type: keyword
-service.id:
-  dashed_name: service-id
-  description: 'Unique identifier of the running service. If the service is comprised
-    of many nodes, the `service.id` should be the same for all nodes.
-
-    This id should uniquely identify the service. This makes it possible to correlate
-    logs and metrics for one specific service, no matter which particular node emitted
-    the event.
-
-    Note that if you need to see the events from one specific host of the service,
-    you should filter on that `host.name` or `host.id` instead.'
-  example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-  flat_name: service.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  short: Unique identifier of the running service.
-  type: keyword
-service.name:
-  dashed_name: service-name
-  description: 'Name of the service data is collected from.
-
-    The name of the service is normally user given. This allows for distributed services
-    that run on multiple hosts to correlate the related instances based on the name.
-
-    In the case of Elasticsearch the `service.name` could contain the cluster name.
-    For Beats the `service.name` is by default a copy of the `service.type` field
-    if no name is specified.'
-  example: elasticsearch-metrics
-  flat_name: service.name
-  ignore_above: 1024
-  level: core
-  name: name
-  normalize: []
-  short: Name of the service.
-  type: keyword
-service.node.name:
-  dashed_name: service-node-name
-  description: 'Name of a service node.
-
-    This allows for two nodes of the same service running on the same host to be differentiated.
-    Therefore, `service.node.name` should typically be unique across nodes of a given
-    service.
-
-    In the case of Elasticsearch, the `service.node.name` could contain the unique
-    node name within the Elasticsearch cluster. In cases where the service doesn''t
-    have the concept of a node name, the host name or container name can be used to
-    distinguish running instances that make up this service. If those do not provide
-    uniqueness (e.g. multiple instances of the service running on the same host) -
-    the node name can be manually set.'
-  example: instance-0000000016
-  flat_name: service.node.name
-  ignore_above: 1024
-  level: extended
-  name: node.name
-  normalize: []
-  short: Name of the service node.
-  type: keyword
-service.state:
-  dashed_name: service-state
-  description: Current state of the service.
-  flat_name: service.state
-  ignore_above: 1024
-  level: core
-  name: state
-  normalize: []
-  short: Current state of the service.
-  type: keyword
-service.type:
-  dashed_name: service-type
-  description: 'The type of the service data is collected from.
-
-    The type can be used to group and correlate logs and metrics from one service
-    type.
-
-    Example: If logs or metrics are collected from Elasticsearch, `service.type` would
-    be `elasticsearch`.'
-  example: elasticsearch
-  flat_name: service.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize: []
-  short: The type of the service.
-  type: keyword
-service.version:
-  dashed_name: service-version
-  description: 'Version of the service the data was collected from.
-
-    This allows to look at a data set only for a specific version of a service.'
-  example: 3.2.4
-  flat_name: service.version
-  ignore_above: 1024
-  level: core
-  name: version
-  normalize: []
-  short: Version of the service.
-  type: keyword
-source.address:
-  dashed_name: source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  short: Source network address.
-  type: keyword
-source.as.number:
-  dashed_name: source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-source.as.organization.name:
-  dashed_name: source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-source.bytes:
-  dashed_name: source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  short: Bytes sent from the source to the destination.
-  type: long
-source.domain:
-  dashed_name: source-domain
-  description: Source domain.
-  flat_name: source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  short: Source domain.
-  type: keyword
-source.geo.city_name:
-  dashed_name: source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-source.geo.continent_code:
-  dashed_name: source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-source.geo.continent_name:
-  dashed_name: source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-source.geo.country_iso_code:
-  dashed_name: source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-source.geo.country_name:
-  dashed_name: source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-source.geo.location:
-  dashed_name: source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-source.geo.name:
-  dashed_name: source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-source.geo.postal_code:
-  dashed_name: source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-source.geo.region_iso_code:
-  dashed_name: source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-source.geo.region_name:
-  dashed_name: source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-source.geo.timezone:
-  dashed_name: source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-source.ip:
-  dashed_name: source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: source.ip
-  level: core
-  name: ip
-  normalize: []
-  short: IP address of the source.
-  type: ip
-source.mac:
-  dashed_name: source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  short: MAC address of the source.
-  type: keyword
-source.nat.ip:
-  dashed_name: source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  short: Source NAT ip
-  type: ip
-source.nat.port:
-  dashed_name: source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  short: Source NAT port
-  type: long
-source.packets:
-  dashed_name: source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: source.packets
-  level: core
-  name: packets
-  normalize: []
-  short: Packets sent from the source to the destination.
-  type: long
-source.port:
-  dashed_name: source-port
-  description: Port of the source.
-  flat_name: source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  short: Port of the source.
-  type: long
-source.registered_domain:
-  dashed_name: source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (http://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-source.subdomain:
-  dashed_name: source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  short: The subdomain of the domain.
-  type: keyword
-source.top_level_domain:
-  dashed_name: source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (http://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-source.user.domain:
-  dashed_name: source-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: source.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-source.user.email:
-  dashed_name: source-user-email
-  description: User email address.
-  flat_name: source.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-source.user.full_name:
-  dashed_name: source-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: source.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: source.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-source.user.group.domain:
-  dashed_name: source-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: source.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-source.user.group.id:
-  dashed_name: source-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: source.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-source.user.group.name:
-  dashed_name: source-user-group-name
-  description: Name of the group.
-  flat_name: source.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-source.user.hash:
-  dashed_name: source-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: source.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-source.user.id:
-  dashed_name: source-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: source.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-source.user.name:
-  dashed_name: source-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: source.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: source.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-source.user.roles:
-  dashed_name: source-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: source.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  type: keyword
-span.id:
-  dashed_name: span-id
-  description: 'Unique identifier of the span within the scope of its trace.
-
-    A span represents an operation within a transaction, such as a request to another
-    service, or a database query.'
-  example: 3ff9a8981b7ccd5a
-  flat_name: span.id
-  ignore_above: 1024
-  level: extended
-  name: span.id
-  normalize: []
-  short: Unique identifier of the span within the scope of its trace.
-  type: keyword
-tags:
-  dashed_name: tags
-  description: List of keywords used to tag each event.
-  example: '["production", "env2"]'
-  flat_name: tags
-  ignore_above: 1024
-  level: core
-  name: tags
-  normalize:
-  - array
-  short: List of keywords used to tag each event.
-  type: keyword
-threat.enrichments:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments
-  description: A list of associated indicators objects enriching the event, and the
-    context of that association/enrichment.
-  flat_name: threat.enrichments
-  level: extended
-  name: enrichments
-  normalize: []
-  short: List of objects containing indicators enriching the event.
-  type: nested
-threat.enrichments.indicator:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator
-  description: Object containing associated indicators enriching the event.
-  flat_name: threat.enrichments.indicator
-  level: extended
-  name: enrichments.indicator
-  normalize: []
-  short: Object containing indicators enriching the event.
-  type: object
-threat.enrichments.indicator.as.number:
-  dashed_name: threat-enrichments-indicator-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: threat.enrichments.indicator.as.number
+threat.enrichments.indicator.file.elf.sections.virtual_address:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address
+  format: string
   level: extended
-  name: number
+  name: sections.virtual_address
   normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
+  original_fieldset: elf
+  short: ELF Section List virtual address.
   type: long
-threat.enrichments.indicator.as.organization.name:
-  dashed_name: threat-enrichments-indicator-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: threat.enrichments.indicator.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: threat.enrichments.indicator.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-threat.enrichments.indicator.confidence:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-confidence
-  description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the None/Low/Medium/High\_\
-    scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence\
-    \ scales may be added as custom fields.\nExpected values are:\n  * Not Specified\n\
-    \  * None\n  * Low\n  * Medium\n  * High"
-  example: Medium
-  flat_name: threat.enrichments.indicator.confidence
-  ignore_above: 1024
-  level: extended
-  name: enrichments.indicator.confidence
-  normalize: []
-  short: Indicator confidence rating
-  type: keyword
-threat.enrichments.indicator.description:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-description
-  description: Describes the type of action conducted by the threat.
-  example: IP x.x.x.x was observed delivering the Angler EK.
-  flat_name: threat.enrichments.indicator.description
-  ignore_above: 1024
-  level: extended
-  name: enrichments.indicator.description
-  normalize: []
-  short: Indicator description
-  type: keyword
-threat.enrichments.indicator.email.address:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-email-address
-  description: Identifies a threat indicator as an email address (irrespective of
-    direction).
-  example: phish@example.com
-  flat_name: threat.enrichments.indicator.email.address
-  ignore_above: 1024
-  level: extended
-  name: enrichments.indicator.email.address
-  normalize: []
-  short: Indicator email address
-  type: keyword
-threat.enrichments.indicator.file.accessed:
-  dashed_name: threat-enrichments-indicator-file-accessed
-  description: 'Last time the file was accessed.
-
-    Note that not all filesystems keep track of access time.'
-  flat_name: threat.enrichments.indicator.file.accessed
+threat.enrichments.indicator.file.elf.sections.virtual_size:
+  dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size
+  format: string
   level: extended
-  name: accessed
+  name: sections.virtual_size
   normalize: []
-  original_fieldset: file
-  short: Last time the file was accessed.
-  type: date
-threat.enrichments.indicator.file.attributes:
-  dashed_name: threat-enrichments-indicator-file-attributes
-  description: 'Array of file attributes.
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+threat.enrichments.indicator.file.elf.segments:
+  dashed_name: threat-enrichments-indicator-file-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
 
-    Attributes names will vary by platform. Here''s a non-exhaustive list of values
-    that are expected in this field: archive, compressed, directory, encrypted, execute,
-    hidden, read, readonly, system, write.'
-  example: '["readonly", "system"]'
-  flat_name: threat.enrichments.indicator.file.attributes
-  ignore_above: 1024
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: threat.enrichments.indicator.file.elf.segments
   level: extended
-  name: attributes
+  name: segments
   normalize:
   - array
-  original_fieldset: file
-  short: Array of file attributes.
-  type: keyword
-threat.enrichments.indicator.file.code_signature.digest_algorithm:
-  dashed_name: threat-enrichments-indicator-file-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: threat.enrichments.indicator.file.code_signature.digest_algorithm
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+threat.enrichments.indicator.file.elf.segments.sections:
+  dashed_name: threat-enrichments-indicator-file-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: threat.enrichments.indicator.file.elf.segments.sections
   ignore_above: 1024
   level: extended
-  name: digest_algorithm
+  name: segments.sections
   normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
+  original_fieldset: elf
+  short: ELF object segment sections.
   type: keyword
-threat.enrichments.indicator.file.code_signature.exists:
-  dashed_name: threat-enrichments-indicator-file-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: threat.enrichments.indicator.file.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-threat.enrichments.indicator.file.code_signature.signing_id:
-  dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: threat.enrichments.indicator.file.code_signature.signing_id
+threat.enrichments.indicator.file.elf.segments.type:
+  dashed_name: threat-enrichments-indicator-file-elf-segments-type
+  description: ELF object segment type.
+  flat_name: threat.enrichments.indicator.file.elf.segments.type
   ignore_above: 1024
   level: extended
-  name: signing_id
+  name: segments.type
   normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
+  original_fieldset: elf
+  short: ELF object segment type.
   type: keyword
-threat.enrichments.indicator.file.code_signature.status:
-  dashed_name: threat-enrichments-indicator-file-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: threat.enrichments.indicator.file.code_signature.status
+threat.enrichments.indicator.file.elf.shared_libraries:
+  dashed_name: threat-enrichments-indicator-file-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: threat.enrichments.indicator.file.elf.shared_libraries
   ignore_above: 1024
   level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-threat.enrichments.indicator.file.code_signature.subject_name:
-  dashed_name: threat-enrichments-indicator-file-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: threat.enrichments.indicator.file.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
   type: keyword
-threat.enrichments.indicator.file.code_signature.team_id:
-  dashed_name: threat-enrichments-indicator-file-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: threat.enrichments.indicator.file.code_signature.team_id
+threat.enrichments.indicator.file.elf.telfhash:
+  dashed_name: threat-enrichments-indicator-file-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: threat.enrichments.indicator.file.elf.telfhash
   ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-threat.enrichments.indicator.file.code_signature.timestamp:
-  dashed_name: threat-enrichments-indicator-file-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: threat.enrichments.indicator.file.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-threat.enrichments.indicator.file.code_signature.trusted:
-  dashed_name: threat-enrichments-indicator-file-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: threat.enrichments.indicator.file.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-threat.enrichments.indicator.file.code_signature.valid:
-  dashed_name: threat-enrichments-indicator-file-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: threat.enrichments.indicator.file.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-threat.enrichments.indicator.file.created:
-  dashed_name: threat-enrichments-indicator-file-created
-  description: 'File creation time.
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+threat.enrichments.indicator.file.extension:
+  dashed_name: threat-enrichments-indicator-file-extension
+  description: 'File extension, excluding the leading dot.
 
-    Note that not all filesystems store the creation time.'
-  flat_name: threat.enrichments.indicator.file.created
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
+  example: png
+  flat_name: threat.enrichments.indicator.file.extension
+  ignore_above: 1024
   level: extended
-  name: created
+  name: extension
   normalize: []
   original_fieldset: file
-  short: File creation time.
-  type: date
-threat.enrichments.indicator.file.ctime:
-  dashed_name: threat-enrichments-indicator-file-ctime
-  description: 'Last time the file attributes or metadata changed.
+  short: File extension, excluding the leading dot.
+  type: keyword
+threat.enrichments.indicator.file.fork_name:
+  dashed_name: threat-enrichments-indicator-file-fork-name
+  description: 'A fork is additional data associated with a filesystem object.
 
-    Note that changes to the file content will update `mtime`. This implies `ctime`
-    will be adjusted at the same time, since `mtime` is an attribute of the file.'
-  flat_name: threat.enrichments.indicator.file.ctime
+    On Linux, a resource fork is used to store additional data with a filesystem object.
+    A file always has at least one fork for the data portion, and additional forks
+    may exist.
+
+    On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+    data stream for a file is just called $DATA. Zone.Identifier is commonly used
+    by Windows to track contents downloaded from the Internet. An ADS is typically
+    of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+    is the value that should populate `fork_name`. `filename.extension` should populate
+    `file.name`, and `extension` should populate `file.extension`. The full path,
+    `file.path`, will include the fork name.'
+  example: Zone.Identifer
+  flat_name: threat.enrichments.indicator.file.fork_name
+  ignore_above: 1024
   level: extended
-  name: ctime
+  name: fork_name
   normalize: []
   original_fieldset: file
-  short: Last time the file attributes or metadata changed.
-  type: date
-threat.enrichments.indicator.file.device:
-  dashed_name: threat-enrichments-indicator-file-device
-  description: Device that is the source of the file.
-  example: sda
-  flat_name: threat.enrichments.indicator.file.device
+  short: A fork is additional data associated with a filesystem object.
+  type: keyword
+threat.enrichments.indicator.file.gid:
+  dashed_name: threat-enrichments-indicator-file-gid
+  description: Primary group ID (GID) of the file.
+  example: '1001'
+  flat_name: threat.enrichments.indicator.file.gid
   ignore_above: 1024
   level: extended
-  name: device
+  name: gid
   normalize: []
   original_fieldset: file
-  short: Device that is the source of the file.
+  short: Primary group ID (GID) of the file.
   type: keyword
-threat.enrichments.indicator.file.directory:
-  dashed_name: threat-enrichments-indicator-file-directory
-  description: Directory where the file is located. It should include the drive letter,
-    when appropriate.
-  example: /home/alice
-  flat_name: threat.enrichments.indicator.file.directory
+threat.enrichments.indicator.file.group:
+  dashed_name: threat-enrichments-indicator-file-group
+  description: Primary group name of the file.
+  example: alice
+  flat_name: threat.enrichments.indicator.file.group
   ignore_above: 1024
   level: extended
-  name: directory
+  name: group
   normalize: []
   original_fieldset: file
-  short: Directory where the file is located.
+  short: Primary group name of the file.
   type: keyword
-threat.enrichments.indicator.file.drive_letter:
-  dashed_name: threat-enrichments-indicator-file-drive-letter
-  description: 'Drive letter where the file is located. This field is only relevant
-    on Windows.
-
-    The value should be uppercase, and not include the colon.'
-  example: C
-  flat_name: threat.enrichments.indicator.file.drive_letter
-  ignore_above: 1
+threat.enrichments.indicator.file.hash.md5:
+  dashed_name: threat-enrichments-indicator-file-hash-md5
+  description: MD5 hash.
+  flat_name: threat.enrichments.indicator.file.hash.md5
+  ignore_above: 1024
   level: extended
-  name: drive_letter
+  name: md5
   normalize: []
-  original_fieldset: file
-  short: Drive letter where the file is located.
+  original_fieldset: hash
+  short: MD5 hash.
   type: keyword
-threat.enrichments.indicator.file.elf.architecture:
-  dashed_name: threat-enrichments-indicator-file-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: threat.enrichments.indicator.file.elf.architecture
+threat.enrichments.indicator.file.hash.sha1:
+  dashed_name: threat-enrichments-indicator-file-hash-sha1
+  description: SHA1 hash.
+  flat_name: threat.enrichments.indicator.file.hash.sha1
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: sha1
   normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
+  original_fieldset: hash
+  short: SHA1 hash.
   type: keyword
-threat.enrichments.indicator.file.elf.byte_order:
-  dashed_name: threat-enrichments-indicator-file-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: threat.enrichments.indicator.file.elf.byte_order
+threat.enrichments.indicator.file.hash.sha256:
+  dashed_name: threat-enrichments-indicator-file-hash-sha256
+  description: SHA256 hash.
+  flat_name: threat.enrichments.indicator.file.hash.sha256
   ignore_above: 1024
   level: extended
-  name: byte_order
+  name: sha256
   normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
+  original_fieldset: hash
+  short: SHA256 hash.
   type: keyword
-threat.enrichments.indicator.file.elf.cpu_type:
-  dashed_name: threat-enrichments-indicator-file-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: threat.enrichments.indicator.file.elf.cpu_type
+threat.enrichments.indicator.file.hash.sha512:
+  dashed_name: threat-enrichments-indicator-file-hash-sha512
+  description: SHA512 hash.
+  flat_name: threat.enrichments.indicator.file.hash.sha512
   ignore_above: 1024
   level: extended
-  name: cpu_type
+  name: sha512
   normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
+  original_fieldset: hash
+  short: SHA512 hash.
   type: keyword
-threat.enrichments.indicator.file.elf.creation_date:
-  dashed_name: threat-enrichments-indicator-file-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: threat.enrichments.indicator.file.elf.creation_date
+threat.enrichments.indicator.file.hash.ssdeep:
+  dashed_name: threat-enrichments-indicator-file-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: threat.enrichments.indicator.file.hash.ssdeep
+  ignore_above: 1024
   level: extended
-  name: creation_date
+  name: ssdeep
   normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+threat.enrichments.indicator.file.inode:
+  dashed_name: threat-enrichments-indicator-file-inode
+  description: Inode representing the file in the filesystem.
+  example: '256383'
+  flat_name: threat.enrichments.indicator.file.inode
+  ignore_above: 1024
+  level: extended
+  name: inode
+  normalize: []
+  original_fieldset: file
+  short: Inode representing the file in the filesystem.
+  type: keyword
+threat.enrichments.indicator.file.mime_type:
+  dashed_name: threat-enrichments-indicator-file-mime-type
+  description: MIME type should identify the format of the file or stream of bytes
+    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
+    types], where possible. When more than one type is applicable, the most specific
+    type should be used.
+  flat_name: threat.enrichments.indicator.file.mime_type
+  ignore_above: 1024
+  level: extended
+  name: mime_type
+  normalize: []
+  original_fieldset: file
+  short: Media type of file, document, or arrangement of bytes.
+  type: keyword
+threat.enrichments.indicator.file.mode:
+  dashed_name: threat-enrichments-indicator-file-mode
+  description: Mode of the file in octal representation.
+  example: '0640'
+  flat_name: threat.enrichments.indicator.file.mode
+  ignore_above: 1024
+  level: extended
+  name: mode
+  normalize: []
+  original_fieldset: file
+  short: Mode of the file in octal representation.
+  type: keyword
+threat.enrichments.indicator.file.mtime:
+  dashed_name: threat-enrichments-indicator-file-mtime
+  description: Last time the file content was modified.
+  flat_name: threat.enrichments.indicator.file.mtime
+  level: extended
+  name: mtime
+  normalize: []
+  original_fieldset: file
+  short: Last time the file content was modified.
   type: date
-threat.enrichments.indicator.file.elf.exports:
-  dashed_name: threat-enrichments-indicator-file-elf-exports
-  description: List of exported element names and types.
-  flat_name: threat.enrichments.indicator.file.elf.exports
+threat.enrichments.indicator.file.name:
+  dashed_name: threat-enrichments-indicator-file-name
+  description: Name of the file including the extension, without the directory.
+  example: example.png
+  flat_name: threat.enrichments.indicator.file.name
+  ignore_above: 1024
   level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-threat.enrichments.indicator.file.elf.header.abi_version:
-  dashed_name: threat-enrichments-indicator-file-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: threat.enrichments.indicator.file.elf.header.abi_version
+  name: name
+  normalize: []
+  original_fieldset: file
+  short: Name of the file including the extension, without the directory.
+  type: keyword
+threat.enrichments.indicator.file.owner:
+  dashed_name: threat-enrichments-indicator-file-owner
+  description: File owner's username.
+  example: alice
+  flat_name: threat.enrichments.indicator.file.owner
   ignore_above: 1024
   level: extended
-  name: header.abi_version
+  name: owner
   normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
+  original_fieldset: file
+  short: File owner's username.
   type: keyword
-threat.enrichments.indicator.file.elf.header.class:
-  dashed_name: threat-enrichments-indicator-file-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: threat.enrichments.indicator.file.elf.header.class
+threat.enrichments.indicator.file.path:
+  dashed_name: threat-enrichments-indicator-file-path
+  description: Full path to the file, including the file name. It should include the
+    drive letter, when appropriate.
+  example: /home/alice/example.png
+  flat_name: threat.enrichments.indicator.file.path
   ignore_above: 1024
   level: extended
-  name: header.class
+  multi_fields:
+  - flat_name: threat.enrichments.indicator.file.path.text
+    name: text
+    type: match_only_text
+  name: path
   normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
+  original_fieldset: file
+  short: Full path to the file, including the file name.
   type: keyword
-threat.enrichments.indicator.file.elf.header.data:
-  dashed_name: threat-enrichments-indicator-file-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: threat.enrichments.indicator.file.elf.header.data
+threat.enrichments.indicator.file.pe.architecture:
+  dashed_name: threat-enrichments-indicator-file-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: threat.enrichments.indicator.file.pe.architecture
   ignore_above: 1024
   level: extended
-  name: header.data
+  name: architecture
   normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
+  original_fieldset: pe
+  short: CPU architecture target for the file.
   type: keyword
-threat.enrichments.indicator.file.elf.header.entrypoint:
-  dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: threat.enrichments.indicator.file.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-threat.enrichments.indicator.file.elf.header.object_version:
-  dashed_name: threat-enrichments-indicator-file-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: threat.enrichments.indicator.file.elf.header.object_version
+threat.enrichments.indicator.file.pe.authentihash:
+  dashed_name: threat-enrichments-indicator-file-pe-authentihash
+  description: Authentihash of the PE file.
+  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+  flat_name: threat.enrichments.indicator.file.pe.authentihash
   ignore_above: 1024
   level: extended
-  name: header.object_version
+  name: authentihash
   normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
+  original_fieldset: pe
+  short: Authentihash of the PE file.
   type: keyword
-threat.enrichments.indicator.file.elf.header.os_abi:
-  dashed_name: threat-enrichments-indicator-file-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: threat.enrichments.indicator.file.elf.header.os_abi
+threat.enrichments.indicator.file.pe.company:
+  dashed_name: threat-enrichments-indicator-file-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: threat.enrichments.indicator.file.pe.company
   ignore_above: 1024
   level: extended
-  name: header.os_abi
+  name: company
   normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
   type: keyword
-threat.enrichments.indicator.file.elf.header.type:
-  dashed_name: threat-enrichments-indicator-file-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: threat.enrichments.indicator.file.elf.header.type
+threat.enrichments.indicator.file.pe.compile_timestamp:
+  dashed_name: threat-enrichments-indicator-file-pe-compile-timestamp
+  description: Compile timestamp of the PE file.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.file.pe.compile_timestamp
+  level: extended
+  name: compile_timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Compile timestamp of the PE file.
+  type: date
+threat.enrichments.indicator.file.pe.compiler.name:
+  dashed_name: threat-enrichments-indicator-file-pe-compiler-name
+  description: Name of the compiler
+  example: Clang
+  flat_name: threat.enrichments.indicator.file.pe.compiler.name
   ignore_above: 1024
   level: extended
-  name: header.type
+  name: compiler.name
   normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
+  original_fieldset: pe
+  short: Name of the compiler
   type: keyword
-threat.enrichments.indicator.file.elf.header.version:
-  dashed_name: threat-enrichments-indicator-file-elf-header-version
-  description: Version of the ELF header.
-  flat_name: threat.enrichments.indicator.file.elf.header.version
+threat.enrichments.indicator.file.pe.compiler.version:
+  dashed_name: threat-enrichments-indicator-file-pe-compiler-version
+  description: Version of the compiler.
+  example: 11.0.0
+  flat_name: threat.enrichments.indicator.file.pe.compiler.version
   ignore_above: 1024
   level: extended
-  name: header.version
+  name: compiler.version
   normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
+  original_fieldset: pe
+  short: Version of the compiler.
   type: keyword
-threat.enrichments.indicator.file.elf.imports:
-  dashed_name: threat-enrichments-indicator-file-elf-imports
-  description: List of imported element names and types.
-  flat_name: threat.enrichments.indicator.file.elf.imports
+threat.enrichments.indicator.file.pe.creation_date:
+  dashed_name: threat-enrichments-indicator-file-pe-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.file.pe.creation_date
   level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-threat.enrichments.indicator.file.elf.sections:
-  dashed_name: threat-enrichments-indicator-file-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
+  name: creation_date
+  normalize: []
+  original_fieldset: pe
+  short: Build or compile date.
+  type: date
+threat.enrichments.indicator.file.pe.debug:
+  dashed_name: threat-enrichments-indicator-file-pe-debug
+  description: 'An array containing an object for each debug entry, if present.
 
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: threat.enrichments.indicator.file.elf.sections
+    The expected fields for this nested object fall under the `debug.` prefix.'
+  flat_name: threat.enrichments.indicator.file.pe.debug
   level: extended
-  name: sections
+  name: debug
   normalize:
   - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
+  original_fieldset: pe
+  short: Debug information
   type: nested
-threat.enrichments.indicator.file.elf.sections.chi2:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: threat.enrichments.indicator.file.elf.sections.chi2
-  format: number
+threat.enrichments.indicator.file.pe.debug.offset:
+  dashed_name: threat-enrichments-indicator-file-pe-debug-offset
+  description: Debug offset information.
+  example: 1296336
+  flat_name: threat.enrichments.indicator.file.pe.debug.offset
+  ignore_above: 1024
   level: extended
-  name: sections.chi2
+  name: debug.offset
   normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-threat.enrichments.indicator.file.elf.sections.entropy:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: threat.enrichments.indicator.file.elf.sections.entropy
-  format: number
+  original_fieldset: pe
+  short: Debug offset information.
+  type: keyword
+threat.enrichments.indicator.file.pe.debug.size:
+  dashed_name: threat-enrichments-indicator-file-pe-debug-size
+  description: Size of the debug information.
+  example: 816
+  flat_name: threat.enrichments.indicator.file.pe.debug.size
+  format: bytes
   level: extended
-  name: sections.entropy
+  name: debug.size
   normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
+  original_fieldset: pe
+  short: Size of the debug information.
   type: long
-threat.enrichments.indicator.file.elf.sections.flags:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: threat.enrichments.indicator.file.elf.sections.flags
+threat.enrichments.indicator.file.pe.debug.timestamp:
+  dashed_name: threat-enrichments-indicator-file-pe-debug-timestamp
+  description: Timestamp of the debug information.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.file.pe.debug.timestamp
+  level: extended
+  name: debug.timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Timestamp of the debug information.
+  type: date
+threat.enrichments.indicator.file.pe.debug.type:
+  dashed_name: threat-enrichments-indicator-file-pe-debug-type
+  description: Information type generated by the debug options.
+  example: IMAGE_DEBUG_TYPE_POGO
+  flat_name: threat.enrichments.indicator.file.pe.debug.type
   ignore_above: 1024
   level: extended
-  name: sections.flags
+  name: debug.type
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
+  original_fieldset: pe
+  short: Information type generated by the debug options.
   type: keyword
-threat.enrichments.indicator.file.elf.sections.name:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-name
-  description: ELF Section List name.
-  flat_name: threat.enrichments.indicator.file.elf.sections.name
+threat.enrichments.indicator.file.pe.description:
+  dashed_name: threat-enrichments-indicator-file-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: threat.enrichments.indicator.file.pe.description
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: description
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
   type: keyword
-threat.enrichments.indicator.file.elf.sections.physical_offset:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset
+threat.enrichments.indicator.file.pe.entry_point:
+  dashed_name: threat-enrichments-indicator-file-pe-entry-point
+  description: Relative byte offset to the base of the PE file.
+  example: 25856
+  flat_name: threat.enrichments.indicator.file.pe.entry_point
   ignore_above: 1024
   level: extended
-  name: sections.physical_offset
+  name: entry_point
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
+  original_fieldset: pe
+  short: Relative byte offset to the base of the PE file.
   type: keyword
-threat.enrichments.indicator.file.elf.sections.physical_size:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: threat.enrichments.indicator.file.elf.sections.physical_size
-  format: bytes
+threat.enrichments.indicator.file.pe.exports:
+  dashed_name: threat-enrichments-indicator-file-pe-exports
+  description: List of symbols exported by PE
+  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+  flat_name: threat.enrichments.indicator.file.pe.exports
+  ignore_above: 1024
   level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-threat.enrichments.indicator.file.elf.sections.type:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-type
-  description: ELF Section List type.
-  flat_name: threat.enrichments.indicator.file.elf.sections.type
+  name: exports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of symbols exported by PE
+  type: keyword
+threat.enrichments.indicator.file.pe.file_version:
+  dashed_name: threat-enrichments-indicator-file-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: threat.enrichments.indicator.file.pe.file_version
   ignore_above: 1024
   level: extended
-  name: sections.type
+  name: file_version
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
+  original_fieldset: pe
+  short: Process name.
   type: keyword
-threat.enrichments.indicator.file.elf.sections.virtual_address:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address
-  format: string
+threat.enrichments.indicator.file.pe.icon.hash.dhash:
+  dashed_name: threat-enrichments-indicator-file-pe-icon-hash-dhash
+  description: Difference Hash (dhash) to find files with a visually similar icon
+    or thumbnail.
+  example: b806e17c8e330d82
+  flat_name: threat.enrichments.indicator.file.pe.icon.hash.dhash
+  ignore_above: 1024
   level: extended
-  name: sections.virtual_address
+  name: icon.hash.dhash
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-threat.enrichments.indicator.file.elf.sections.virtual_size:
-  dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size
-  format: string
+  original_fieldset: pe
+  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  type: keyword
+threat.enrichments.indicator.file.pe.imphash:
+  dashed_name: threat-enrichments-indicator-file-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: threat.enrichments.indicator.file.pe.imphash
+  ignore_above: 1024
   level: extended
-  name: sections.virtual_size
+  name: imphash
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-threat.enrichments.indicator.file.elf.segments:
-  dashed_name: threat-enrichments-indicator-file-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: threat.enrichments.indicator.file.elf.segments
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+threat.enrichments.indicator.file.pe.imports:
+  dashed_name: threat-enrichments-indicator-file-pe-imports
+  description: List of all imported functions
+  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+    }'
+  flat_name: threat.enrichments.indicator.file.pe.imports
   level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-threat.enrichments.indicator.file.elf.segments.sections:
-  dashed_name: threat-enrichments-indicator-file-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: threat.enrichments.indicator.file.elf.segments.sections
+  name: imports
+  normalize: []
+  original_fieldset: pe
+  short: List of all imported functions
+  type: flattened
+threat.enrichments.indicator.file.pe.machine_type:
+  dashed_name: threat-enrichments-indicator-file-pe-machine-type
+  description: Machine type of the PE file.
+  example: Intel 386 or later, and compatibles
+  flat_name: threat.enrichments.indicator.file.pe.machine_type
   ignore_above: 1024
   level: extended
-  name: segments.sections
+  name: machine_type
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
+  original_fieldset: pe
+  short: Machine type of the PE file.
   type: keyword
-threat.enrichments.indicator.file.elf.segments.type:
-  dashed_name: threat-enrichments-indicator-file-elf-segments-type
-  description: ELF object segment type.
-  flat_name: threat.enrichments.indicator.file.elf.segments.type
+threat.enrichments.indicator.file.pe.original_file_name:
+  dashed_name: threat-enrichments-indicator-file-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: threat.enrichments.indicator.file.pe.original_file_name
   ignore_above: 1024
   level: extended
-  name: segments.type
+  name: original_file_name
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
   type: keyword
-threat.enrichments.indicator.file.elf.shared_libraries:
-  dashed_name: threat-enrichments-indicator-file-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: threat.enrichments.indicator.file.elf.shared_libraries
+threat.enrichments.indicator.file.pe.packers:
+  dashed_name: threat-enrichments-indicator-file-pe-packers
+  description: List of packers and tools used.
+  example: '["ASPack v2.12", ".NET executable"]'
+  flat_name: threat.enrichments.indicator.file.pe.packers
   ignore_above: 1024
   level: extended
-  name: shared_libraries
+  name: packers
   normalize:
   - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
+  original_fieldset: pe
+  short: List of packers and tools used.
   type: keyword
-threat.enrichments.indicator.file.elf.telfhash:
-  dashed_name: threat-enrichments-indicator-file-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: threat.enrichments.indicator.file.elf.telfhash
+threat.enrichments.indicator.file.pe.product:
+  dashed_name: threat-enrichments-indicator-file-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: threat.enrichments.indicator.file.pe.product
   ignore_above: 1024
   level: extended
-  name: telfhash
+  name: product
   normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
   type: keyword
-threat.enrichments.indicator.file.extension:
-  dashed_name: threat-enrichments-indicator-file-extension
-  description: 'File extension, excluding the leading dot.
+threat.enrichments.indicator.file.pe.resources:
+  dashed_name: threat-enrichments-indicator-file-pe-resources
+  description: 'An array containing an object for each PE resource, if present.
 
-    Note that when the file name has multiple extensions (example.tar.gz), only the
-    last one should be captured ("gz", not "tar.gz").'
-  example: png
-  flat_name: threat.enrichments.indicator.file.extension
-  ignore_above: 1024
+    The expected fields for this nested object fall under the `resources.` prefix.'
+  flat_name: threat.enrichments.indicator.file.pe.resources
   level: extended
-  name: extension
+  name: resources
+  normalize:
+  - array
+  original_fieldset: pe
+  short: PE resource information
+  type: nested
+threat.enrichments.indicator.file.pe.resources.chi2:
+  dashed_name: threat-enrichments-indicator-file-pe-resources-chi2
+  description: Chi-square probability distribution.
+  example: -1
+  flat_name: threat.enrichments.indicator.file.pe.resources.chi2
+  level: extended
+  name: resources.chi2
   normalize: []
-  original_fieldset: file
-  short: File extension, excluding the leading dot.
-  type: keyword
-threat.enrichments.indicator.file.fork_name:
-  dashed_name: threat-enrichments-indicator-file-fork-name
-  description: 'A fork is additional data associated with a filesystem object.
-
-    On Linux, a resource fork is used to store additional data with a filesystem object.
-    A file always has at least one fork for the data portion, and additional forks
-    may exist.
-
-    On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-    data stream for a file is just called $DATA. Zone.Identifier is commonly used
-    by Windows to track contents downloaded from the Internet. An ADS is typically
-    of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-    is the value that should populate `fork_name`. `filename.extension` should populate
-    `file.name`, and `extension` should populate `file.extension`. The full path,
-    `file.path`, will include the fork name.'
-  example: Zone.Identifer
-  flat_name: threat.enrichments.indicator.file.fork_name
-  ignore_above: 1024
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+threat.enrichments.indicator.file.pe.resources.entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-resources-entropy
+  description: Measurement of entropy randomness in the resources section.
+  example: 0, 1
+  flat_name: threat.enrichments.indicator.file.pe.resources.entropy
   level: extended
-  name: fork_name
+  name: resources.entropy
   normalize: []
-  original_fieldset: file
-  short: A fork is additional data associated with a filesystem object.
-  type: keyword
-threat.enrichments.indicator.file.gid:
-  dashed_name: threat-enrichments-indicator-file-gid
-  description: Primary group ID (GID) of the file.
-  example: '1001'
-  flat_name: threat.enrichments.indicator.file.gid
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the resources section.
+  type: long
+threat.enrichments.indicator.file.pe.resources.filetype:
+  dashed_name: threat-enrichments-indicator-file-pe-resources-filetype
+  description: File type of the resources section.
+  example: Data
+  flat_name: threat.enrichments.indicator.file.pe.resources.filetype
   ignore_above: 1024
   level: extended
-  name: gid
+  name: resources.filetype
   normalize: []
-  original_fieldset: file
-  short: Primary group ID (GID) of the file.
+  original_fieldset: pe
+  short: File type of the resources section.
   type: keyword
-threat.enrichments.indicator.file.group:
-  dashed_name: threat-enrichments-indicator-file-group
-  description: Primary group name of the file.
-  example: alice
-  flat_name: threat.enrichments.indicator.file.group
+threat.enrichments.indicator.file.pe.resources.language:
+  dashed_name: threat-enrichments-indicator-file-pe-resources-language
+  description: Language identification.
+  example: CHINESE SIMPLIFIED
+  flat_name: threat.enrichments.indicator.file.pe.resources.language
   ignore_above: 1024
   level: extended
-  name: group
+  name: resources.language
   normalize: []
-  original_fieldset: file
-  short: Primary group name of the file.
+  original_fieldset: pe
+  short: Language identification.
   type: keyword
-threat.enrichments.indicator.file.inode:
-  dashed_name: threat-enrichments-indicator-file-inode
-  description: Inode representing the file in the filesystem.
-  example: '256383'
-  flat_name: threat.enrichments.indicator.file.inode
+threat.enrichments.indicator.file.pe.resources.sha256:
+  dashed_name: threat-enrichments-indicator-file-pe-resources-sha256
+  description: SHA256 hash of resources section.
+  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  flat_name: threat.enrichments.indicator.file.pe.resources.sha256
   ignore_above: 1024
   level: extended
-  name: inode
+  name: resources.sha256
   normalize: []
-  original_fieldset: file
-  short: Inode representing the file in the filesystem.
+  original_fieldset: pe
+  short: SHA256 hash of resources section.
   type: keyword
-threat.enrichments.indicator.file.mime_type:
-  dashed_name: threat-enrichments-indicator-file-mime-type
-  description: MIME type should identify the format of the file or stream of bytes
-    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
-    types], where possible. When more than one type is applicable, the most specific
-    type should be used.
-  flat_name: threat.enrichments.indicator.file.mime_type
+threat.enrichments.indicator.file.pe.resources.type:
+  dashed_name: threat-enrichments-indicator-file-pe-resources-type
+  description: Digest of resource types.
+  example: '["RT_VERSION", "RT_MANIFEST"]'
+  flat_name: threat.enrichments.indicator.file.pe.resources.type
   ignore_above: 1024
   level: extended
-  name: mime_type
-  normalize: []
-  original_fieldset: file
-  short: Media type of file, document, or arrangement of bytes.
+  name: resources.type
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of resource types.
   type: keyword
-threat.enrichments.indicator.file.mode:
-  dashed_name: threat-enrichments-indicator-file-mode
-  description: Mode of the file in octal representation.
-  example: '0640'
-  flat_name: threat.enrichments.indicator.file.mode
+threat.enrichments.indicator.file.pe.rich_header.hash.md5:
+  dashed_name: threat-enrichments-indicator-file-pe-rich-header-hash-md5
+  description: MD5 hash of the header for the PE file.
+  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+  flat_name: threat.enrichments.indicator.file.pe.rich_header.hash.md5
   ignore_above: 1024
   level: extended
-  name: mode
+  name: rich_header.hash.md5
   normalize: []
-  original_fieldset: file
-  short: Mode of the file in octal representation.
+  original_fieldset: pe
+  short: MD5 hash of the header for the PE file.
   type: keyword
-threat.enrichments.indicator.file.mtime:
-  dashed_name: threat-enrichments-indicator-file-mtime
-  description: Last time the file content was modified.
-  flat_name: threat.enrichments.indicator.file.mtime
+threat.enrichments.indicator.file.pe.sections:
+  dashed_name: threat-enrichments-indicator-file-pe-sections
+  description: Data about sections of compiled binary PE
+  flat_name: threat.enrichments.indicator.file.pe.sections
   level: extended
-  name: mtime
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Data about sections of the compiled binary PE
+  type: nested
+threat.enrichments.indicator.file.pe.sections.chi2:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-chi2
+  description: Chi-square probability distribution.
+  example: 3027194
+  flat_name: threat.enrichments.indicator.file.pe.sections.chi2
+  level: extended
+  name: sections.chi2
   normalize: []
-  original_fieldset: file
-  short: Last time the file content was modified.
-  type: date
-threat.enrichments.indicator.file.name:
-  dashed_name: threat-enrichments-indicator-file-name
-  description: Name of the file including the extension, without the directory.
-  example: example.png
-  flat_name: threat.enrichments.indicator.file.name
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+threat.enrichments.indicator.file.pe.sections.entropy:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-entropy
+  description: Measurement of entropy randomness in the file.
+  example: 6.24
+  flat_name: threat.enrichments.indicator.file.pe.sections.entropy
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the file.
+  type: float
+threat.enrichments.indicator.file.pe.sections.flags:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-flags
+  description: Section flags of the file.
+  example: rx
+  flat_name: threat.enrichments.indicator.file.pe.sections.flags
   ignore_above: 1024
   level: extended
-  name: name
+  name: sections.flags
   normalize: []
-  original_fieldset: file
-  short: Name of the file including the extension, without the directory.
+  original_fieldset: pe
+  short: Section flags of the file.
   type: keyword
-threat.enrichments.indicator.file.owner:
-  dashed_name: threat-enrichments-indicator-file-owner
-  description: File owner's username.
-  example: alice
-  flat_name: threat.enrichments.indicator.file.owner
+threat.enrichments.indicator.file.pe.sections.name:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-name
+  description: Section names of the file.
+  example: .text, .data
+  flat_name: threat.enrichments.indicator.file.pe.sections.name
   ignore_above: 1024
   level: extended
-  name: owner
+  name: sections.name
   normalize: []
-  original_fieldset: file
-  short: File owner's username.
+  original_fieldset: pe
+  short: Section names of the file.
   type: keyword
-threat.enrichments.indicator.file.path:
-  dashed_name: threat-enrichments-indicator-file-path
-  description: Full path to the file, including the file name. It should include the
-    drive letter, when appropriate.
-  example: /home/alice/example.png
-  flat_name: threat.enrichments.indicator.file.path
-  ignore_above: 1024
+threat.enrichments.indicator.file.pe.sections.raw_size:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-raw-size
+  description: Size of the section or the dize of the initialized data on disk.
+  example: 198144
+  flat_name: threat.enrichments.indicator.file.pe.sections.raw_size
+  format: bytes
+  level: extended
+  name: sections.raw_size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the section or the dize of the initialized data on disk.
+  type: long
+threat.enrichments.indicator.file.pe.sections.virtual_address:
+  dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-address
+  description: Virtual address available to the file.
+  example: 8192
+  flat_name: threat.enrichments.indicator.file.pe.sections.virtual_address
+  format: bytes
   level: extended
-  multi_fields:
-  - flat_name: threat.enrichments.indicator.file.path.text
-    name: text
-    type: match_only_text
-  name: path
+  name: sections.virtual_address
   normalize: []
-  original_fieldset: file
-  short: Full path to the file, including the file name.
-  type: keyword
+  original_fieldset: pe
+  short: Virtual address available to the file.
+  type: long
 threat.enrichments.indicator.file.size:
   dashed_name: threat-enrichments-indicator-file-size
   description: 'File size in bytes.
@@ -13716,720 +12502,512 @@ threat.enrichments.indicator.file.uid:
   original_fieldset: file
   short: The user ID (UID) or security identifier (SID) of the file owner.
   type: keyword
-threat.enrichments.indicator.first_seen:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-first-seen
-  description: The date and time when intelligence source first reported sighting
-    this indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.first_seen
-  level: extended
-  name: enrichments.indicator.first_seen
-  normalize: []
-  short: Date/time indicator was first reported.
-  type: date
-threat.enrichments.indicator.geo.city_name:
-  dashed_name: threat-enrichments-indicator-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: threat.enrichments.indicator.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-threat.enrichments.indicator.geo.continent_code:
-  dashed_name: threat-enrichments-indicator-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: threat.enrichments.indicator.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-threat.enrichments.indicator.geo.continent_name:
-  dashed_name: threat-enrichments-indicator-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: threat.enrichments.indicator.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-threat.enrichments.indicator.geo.country_iso_code:
-  dashed_name: threat-enrichments-indicator-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: threat.enrichments.indicator.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-threat.enrichments.indicator.geo.country_name:
-  dashed_name: threat-enrichments-indicator-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: threat.enrichments.indicator.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-threat.enrichments.indicator.geo.location:
-  dashed_name: threat-enrichments-indicator-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: threat.enrichments.indicator.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-threat.enrichments.indicator.geo.name:
-  dashed_name: threat-enrichments-indicator-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: threat.enrichments.indicator.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-threat.enrichments.indicator.geo.postal_code:
-  dashed_name: threat-enrichments-indicator-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: threat.enrichments.indicator.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-threat.enrichments.indicator.geo.region_iso_code:
-  dashed_name: threat-enrichments-indicator-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: threat.enrichments.indicator.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-threat.enrichments.indicator.geo.region_name:
-  dashed_name: threat-enrichments-indicator-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: threat.enrichments.indicator.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-threat.enrichments.indicator.geo.timezone:
-  dashed_name: threat-enrichments-indicator-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: threat.enrichments.indicator.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-threat.enrichments.indicator.hash.md5:
-  dashed_name: threat-enrichments-indicator-hash-md5
-  description: MD5 hash.
-  flat_name: threat.enrichments.indicator.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-threat.enrichments.indicator.hash.sha1:
-  dashed_name: threat-enrichments-indicator-hash-sha1
-  description: SHA1 hash.
-  flat_name: threat.enrichments.indicator.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-threat.enrichments.indicator.hash.sha256:
-  dashed_name: threat-enrichments-indicator-hash-sha256
-  description: SHA256 hash.
-  flat_name: threat.enrichments.indicator.hash.sha256
+threat.enrichments.indicator.file.x509.alternative_names:
+  dashed_name: threat-enrichments-indicator-file-x509-alternative-names
+  description: List of subject alternative names (SAN). Name types vary by certificate
+    authority and certificate type but commonly contain IP addresses, DNS names (and
+    wildcards), and email addresses.
+  example: '*.elastic.co'
+  flat_name: threat.enrichments.indicator.file.x509.alternative_names
   ignore_above: 1024
   level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
+  name: alternative_names
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of subject alternative names (SAN).
   type: keyword
-threat.enrichments.indicator.hash.sha512:
-  dashed_name: threat-enrichments-indicator-hash-sha512
-  description: SHA512 hash.
-  flat_name: threat.enrichments.indicator.hash.sha512
+threat.enrichments.indicator.file.x509.issuer.common_name:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-common-name
+  description: List of common name (CN) of issuing certificate authority.
+  example: Example SHA2 High Assurance Server CA
+  flat_name: threat.enrichments.indicator.file.x509.issuer.common_name
   ignore_above: 1024
   level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
+  name: issuer.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common name (CN) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.hash.ssdeep:
-  dashed_name: threat-enrichments-indicator-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: threat.enrichments.indicator.hash.ssdeep
+threat.enrichments.indicator.file.x509.issuer.country:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-country
+  description: List of country (C) codes
+  example: US
+  flat_name: threat.enrichments.indicator.file.x509.issuer.country
   ignore_above: 1024
   level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
+  name: issuer.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) codes
   type: keyword
-threat.enrichments.indicator.ip:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-ip
-  description: Identifies a threat indicator as an IP address (irrespective of direction).
-  example: 1.2.3.4
-  flat_name: threat.enrichments.indicator.ip
-  level: extended
-  name: enrichments.indicator.ip
-  normalize: []
-  short: Indicator IP address
-  type: ip
-threat.enrichments.indicator.last_seen:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-last-seen
-  description: The date and time when intelligence source last reported sighting this
-    indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.last_seen
-  level: extended
-  name: enrichments.indicator.last_seen
-  normalize: []
-  short: Date/time indicator was last reported.
-  type: date
-threat.enrichments.indicator.marking.tlp:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-marking-tlp
-  description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
-    \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-  example: White
-  flat_name: threat.enrichments.indicator.marking.tlp
+threat.enrichments.indicator.file.x509.issuer.distinguished_name:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-distinguished-name
+  description: Distinguished name (DN) of issuing certificate authority.
+  example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+    Server CA
+  flat_name: threat.enrichments.indicator.file.x509.issuer.distinguished_name
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp
+  name: issuer.distinguished_name
   normalize: []
-  short: Indicator TLP marking
+  original_fieldset: x509
+  short: Distinguished name (DN) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.modified_at:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-modified-at
-  description: The date and time when intelligence source last modified information
-    for this indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.modified_at
+threat.enrichments.indicator.file.x509.issuer.locality:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-locality
+  description: List of locality names (L)
+  example: Mountain View
+  flat_name: threat.enrichments.indicator.file.x509.issuer.locality
+  ignore_above: 1024
   level: extended
-  name: enrichments.indicator.modified_at
-  normalize: []
-  short: Date/time indicator was last updated.
-  type: date
-threat.enrichments.indicator.pe.architecture:
-  dashed_name: threat-enrichments-indicator-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: threat.enrichments.indicator.pe.architecture
+  name: issuer.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+threat.enrichments.indicator.file.x509.issuer.organization:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-organization
+  description: List of organizations (O) of issuing certificate authority.
+  example: Example Inc
+  flat_name: threat.enrichments.indicator.file.x509.issuer.organization
   ignore_above: 1024
   level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  name: issuer.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.pe.authentihash:
-  dashed_name: threat-enrichments-indicator-pe-authentihash
-  description: Authentihash of the PE file.
-  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-  flat_name: threat.enrichments.indicator.pe.authentihash
+threat.enrichments.indicator.file.x509.issuer.organizational_unit:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-organizational-unit
+  description: List of organizational units (OU) of issuing certificate authority.
+  example: www.example.com
+  flat_name: threat.enrichments.indicator.file.x509.issuer.organizational_unit
   ignore_above: 1024
   level: extended
-  name: authentihash
-  normalize: []
-  original_fieldset: pe
-  short: Authentihash of the PE file.
+  name: issuer.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.pe.company:
-  dashed_name: threat-enrichments-indicator-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: threat.enrichments.indicator.pe.company
+threat.enrichments.indicator.file.x509.issuer.state_or_province:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.enrichments.indicator.file.x509.issuer.state_or_province
   ignore_above: 1024
   level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
+  name: issuer.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
   type: keyword
-threat.enrichments.indicator.pe.compile_timestamp:
-  dashed_name: threat-enrichments-indicator-pe-compile-timestamp
-  description: Compile timestamp of the PE file.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.pe.compile_timestamp
+threat.enrichments.indicator.file.x509.not_after:
+  dashed_name: threat-enrichments-indicator-file-x509-not-after
+  description: Time at which the certificate is no longer considered valid.
+  example: 2020-07-16 03:15:39+00:00
+  flat_name: threat.enrichments.indicator.file.x509.not_after
   level: extended
-  name: compile_timestamp
+  name: not_after
   normalize: []
-  original_fieldset: pe
-  short: Compile timestamp of the PE file.
+  original_fieldset: x509
+  short: Time at which the certificate is no longer considered valid.
   type: date
-threat.enrichments.indicator.pe.compiler.name:
-  dashed_name: threat-enrichments-indicator-pe-compiler-name
-  description: Name of the compiler
-  example: Clang
-  flat_name: threat.enrichments.indicator.pe.compiler.name
+threat.enrichments.indicator.file.x509.not_before:
+  dashed_name: threat-enrichments-indicator-file-x509-not-before
+  description: Time at which the certificate is first considered valid.
+  example: 2019-08-16 01:40:25+00:00
+  flat_name: threat.enrichments.indicator.file.x509.not_before
+  level: extended
+  name: not_before
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is first considered valid.
+  type: date
+threat.enrichments.indicator.file.x509.public_key_algorithm:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-algorithm
+  description: Algorithm used to generate the public key.
+  example: RSA
+  flat_name: threat.enrichments.indicator.file.x509.public_key_algorithm
   ignore_above: 1024
   level: extended
-  name: compiler.name
+  name: public_key_algorithm
   normalize: []
-  original_fieldset: pe
-  short: Name of the compiler
+  original_fieldset: x509
+  short: Algorithm used to generate the public key.
   type: keyword
-threat.enrichments.indicator.pe.compiler.version:
-  dashed_name: threat-enrichments-indicator-pe-compiler-version
-  description: Version of the compiler.
-  example: 11.0.0
-  flat_name: threat.enrichments.indicator.pe.compiler.version
+threat.enrichments.indicator.file.x509.public_key_curve:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-curve
+  description: The curve used by the elliptic curve public key algorithm. This is
+    algorithm specific.
+  example: nistp521
+  flat_name: threat.enrichments.indicator.file.x509.public_key_curve
   ignore_above: 1024
   level: extended
-  name: compiler.version
+  name: public_key_curve
   normalize: []
-  original_fieldset: pe
-  short: Version of the compiler.
+  original_fieldset: x509
+  short: The curve used by the elliptic curve public key algorithm. This is algorithm
+    specific.
   type: keyword
-threat.enrichments.indicator.pe.creation_date:
-  dashed_name: threat-enrichments-indicator-pe-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.pe.creation_date
+threat.enrichments.indicator.file.x509.public_key_exponent:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-exponent
+  description: Exponent used to derive the public key. This is algorithm specific.
+  doc_values: false
+  example: 65537
+  flat_name: threat.enrichments.indicator.file.x509.public_key_exponent
+  index: false
   level: extended
-  name: creation_date
+  name: public_key_exponent
   normalize: []
-  original_fieldset: pe
-  short: Build or compile date.
-  type: date
-threat.enrichments.indicator.pe.debug:
-  dashed_name: threat-enrichments-indicator-pe-debug
-  description: 'An array containing an object for each debug entry, if present.
-
-    The expected fields for this nested object fall under the `debug.` prefix.'
-  flat_name: threat.enrichments.indicator.pe.debug
+  original_fieldset: x509
+  short: Exponent used to derive the public key. This is algorithm specific.
+  type: long
+threat.enrichments.indicator.file.x509.public_key_size:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-size
+  description: The size of the public key space in bits.
+  example: 2048
+  flat_name: threat.enrichments.indicator.file.x509.public_key_size
   level: extended
-  name: debug
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Debug information
-  type: nested
-threat.enrichments.indicator.pe.debug.offset:
-  dashed_name: threat-enrichments-indicator-pe-debug-offset
-  description: Debug offset information.
-  example: 1296336
-  flat_name: threat.enrichments.indicator.pe.debug.offset
+  name: public_key_size
+  normalize: []
+  original_fieldset: x509
+  short: The size of the public key space in bits.
+  type: long
+threat.enrichments.indicator.file.x509.serial_number:
+  dashed_name: threat-enrichments-indicator-file-x509-serial-number
+  description: Unique serial number issued by the certificate authority. For consistency,
+    if this value is alphanumeric, it should be formatted without colons and uppercase
+    characters.
+  example: 55FBB9C7DEBF09809D12CCAA
+  flat_name: threat.enrichments.indicator.file.x509.serial_number
   ignore_above: 1024
   level: extended
-  name: debug.offset
+  name: serial_number
   normalize: []
-  original_fieldset: pe
-  short: Debug offset information.
+  original_fieldset: x509
+  short: Unique serial number issued by the certificate authority.
   type: keyword
-threat.enrichments.indicator.pe.debug.size:
-  dashed_name: threat-enrichments-indicator-pe-debug-size
-  description: Size of the debug information.
-  example: 816
-  flat_name: threat.enrichments.indicator.pe.debug.size
-  format: bytes
+threat.enrichments.indicator.file.x509.signature_algorithm:
+  dashed_name: threat-enrichments-indicator-file-x509-signature-algorithm
+  description: Identifier for certificate signature algorithm. We recommend using
+    names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+  example: SHA256-RSA
+  flat_name: threat.enrichments.indicator.file.x509.signature_algorithm
+  ignore_above: 1024
   level: extended
-  name: debug.size
+  name: signature_algorithm
   normalize: []
-  original_fieldset: pe
-  short: Size of the debug information.
-  type: long
-threat.enrichments.indicator.pe.debug.timestamp:
-  dashed_name: threat-enrichments-indicator-pe-debug-timestamp
-  description: Timestamp of the debug information.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.pe.debug.timestamp
+  original_fieldset: x509
+  short: Identifier for certificate signature algorithm.
+  type: keyword
+threat.enrichments.indicator.file.x509.subject.common_name:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-common-name
+  description: List of common names (CN) of subject.
+  example: shared.global.example.net
+  flat_name: threat.enrichments.indicator.file.x509.subject.common_name
+  ignore_above: 1024
   level: extended
-  name: debug.timestamp
-  normalize: []
-  original_fieldset: pe
-  short: Timestamp of the debug information.
-  type: date
-threat.enrichments.indicator.pe.debug.type:
-  dashed_name: threat-enrichments-indicator-pe-debug-type
-  description: Information type generated by the debug options.
-  example: IMAGE_DEBUG_TYPE_POGO
-  flat_name: threat.enrichments.indicator.pe.debug.type
+  name: subject.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common names (CN) of subject.
+  type: keyword
+threat.enrichments.indicator.file.x509.subject.country:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-country
+  description: List of country (C) code
+  example: US
+  flat_name: threat.enrichments.indicator.file.x509.subject.country
   ignore_above: 1024
   level: extended
-  name: debug.type
-  normalize: []
-  original_fieldset: pe
-  short: Information type generated by the debug options.
+  name: subject.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) code
   type: keyword
-threat.enrichments.indicator.pe.description:
-  dashed_name: threat-enrichments-indicator-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: threat.enrichments.indicator.pe.description
+threat.enrichments.indicator.file.x509.subject.distinguished_name:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-distinguished-name
+  description: Distinguished name (DN) of the certificate subject entity.
+  example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+  flat_name: threat.enrichments.indicator.file.x509.subject.distinguished_name
   ignore_above: 1024
   level: extended
-  name: description
+  name: subject.distinguished_name
   normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
+  original_fieldset: x509
+  short: Distinguished name (DN) of the certificate subject entity.
   type: keyword
-threat.enrichments.indicator.pe.entry_point:
-  dashed_name: threat-enrichments-indicator-pe-entry-point
-  description: Relative byte offset to the base of the PE file.
-  example: 25856
-  flat_name: threat.enrichments.indicator.pe.entry_point
+threat.enrichments.indicator.file.x509.subject.locality:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-locality
+  description: List of locality names (L)
+  example: San Francisco
+  flat_name: threat.enrichments.indicator.file.x509.subject.locality
   ignore_above: 1024
   level: extended
-  name: entry_point
-  normalize: []
-  original_fieldset: pe
-  short: Relative byte offset to the base of the PE file.
+  name: subject.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
   type: keyword
-threat.enrichments.indicator.pe.exports:
-  dashed_name: threat-enrichments-indicator-pe-exports
-  description: List of symbols exported by PE
-  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-  flat_name: threat.enrichments.indicator.pe.exports
+threat.enrichments.indicator.file.x509.subject.organization:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-organization
+  description: List of organizations (O) of subject.
+  example: Example, Inc.
+  flat_name: threat.enrichments.indicator.file.x509.subject.organization
   ignore_above: 1024
   level: extended
-  name: exports
+  name: subject.organization
   normalize:
   - array
-  original_fieldset: pe
-  short: List of symbols exported by PE
+  original_fieldset: x509
+  short: List of organizations (O) of subject.
   type: keyword
-threat.enrichments.indicator.pe.file_version:
-  dashed_name: threat-enrichments-indicator-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: threat.enrichments.indicator.pe.file_version
+threat.enrichments.indicator.file.x509.subject.organizational_unit:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-organizational-unit
+  description: List of organizational units (OU) of subject.
+  flat_name: threat.enrichments.indicator.file.x509.subject.organizational_unit
   ignore_above: 1024
   level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
+  name: subject.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of subject.
   type: keyword
-threat.enrichments.indicator.pe.icon.hash.dhash:
-  dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash
-  description: Difference Hash (dhash) to find files with a visually similar icon
-    or thumbnail.
-  example: b806e17c8e330d82
-  flat_name: threat.enrichments.indicator.pe.icon.hash.dhash
+threat.enrichments.indicator.file.x509.subject.state_or_province:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.enrichments.indicator.file.x509.subject.state_or_province
   ignore_above: 1024
   level: extended
-  name: icon.hash.dhash
-  normalize: []
-  original_fieldset: pe
-  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  name: subject.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
   type: keyword
-threat.enrichments.indicator.pe.imphash:
-  dashed_name: threat-enrichments-indicator-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: threat.enrichments.indicator.pe.imphash
+threat.enrichments.indicator.file.x509.version_number:
+  dashed_name: threat-enrichments-indicator-file-x509-version-number
+  description: Version of x509 format.
+  example: 3
+  flat_name: threat.enrichments.indicator.file.x509.version_number
   ignore_above: 1024
   level: extended
-  name: imphash
+  name: version_number
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: x509
+  short: Version of x509 format.
   type: keyword
-threat.enrichments.indicator.pe.imports:
-  dashed_name: threat-enrichments-indicator-pe-imports
-  description: List of all imported functions
-  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-    }'
-  flat_name: threat.enrichments.indicator.pe.imports
+threat.enrichments.indicator.first_seen:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-first-seen
+  description: The date and time when intelligence source first reported sighting
+    this indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.first_seen
   level: extended
-  name: imports
+  name: enrichments.indicator.first_seen
   normalize: []
-  original_fieldset: pe
-  short: List of all imported functions
-  type: flattened
-threat.enrichments.indicator.pe.machine_type:
-  dashed_name: threat-enrichments-indicator-pe-machine-type
-  description: Machine type of the PE file.
-  example: Intel 386 or later, and compatibles
-  flat_name: threat.enrichments.indicator.pe.machine_type
+  short: Date/time indicator was first reported.
+  type: date
+threat.enrichments.indicator.geo.city_name:
+  dashed_name: threat-enrichments-indicator-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: threat.enrichments.indicator.geo.city_name
   ignore_above: 1024
-  level: extended
-  name: machine_type
+  level: core
+  name: city_name
   normalize: []
-  original_fieldset: pe
-  short: Machine type of the PE file.
+  original_fieldset: geo
+  short: City name.
   type: keyword
-threat.enrichments.indicator.pe.original_file_name:
-  dashed_name: threat-enrichments-indicator-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: threat.enrichments.indicator.pe.original_file_name
+threat.enrichments.indicator.geo.continent_code:
+  dashed_name: threat-enrichments-indicator-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: threat.enrichments.indicator.geo.continent_code
   ignore_above: 1024
-  level: extended
-  name: original_file_name
+  level: core
+  name: continent_code
   normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
+  original_fieldset: geo
+  short: Continent code.
   type: keyword
-threat.enrichments.indicator.pe.packers:
-  dashed_name: threat-enrichments-indicator-pe-packers
-  description: List of packers and tools used.
-  example: '["ASPack v2.12", ".NET executable"]'
-  flat_name: threat.enrichments.indicator.pe.packers
+threat.enrichments.indicator.geo.continent_name:
+  dashed_name: threat-enrichments-indicator-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: threat.enrichments.indicator.geo.continent_name
   ignore_above: 1024
-  level: extended
-  name: packers
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of packers and tools used.
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
   type: keyword
-threat.enrichments.indicator.pe.product:
-  dashed_name: threat-enrichments-indicator-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: "Microsoft\xAE Windows\xAE Operating System"
-  flat_name: threat.enrichments.indicator.pe.product
+threat.enrichments.indicator.geo.country_iso_code:
+  dashed_name: threat-enrichments-indicator-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: threat.enrichments.indicator.geo.country_iso_code
   ignore_above: 1024
-  level: extended
-  name: product
+  level: core
+  name: country_iso_code
   normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
+  original_fieldset: geo
+  short: Country ISO code.
   type: keyword
-threat.enrichments.indicator.pe.resources:
-  dashed_name: threat-enrichments-indicator-pe-resources
-  description: 'An array containing an object for each PE resource, if present.
-
-    The expected fields for this nested object fall under the `resources.` prefix.'
-  flat_name: threat.enrichments.indicator.pe.resources
-  level: extended
-  name: resources
-  normalize:
-  - array
-  original_fieldset: pe
-  short: PE resource information
-  type: nested
-threat.enrichments.indicator.pe.resources.chi2:
-  dashed_name: threat-enrichments-indicator-pe-resources-chi2
-  description: Chi-square probability distribution.
-  example: -1
-  flat_name: threat.enrichments.indicator.pe.resources.chi2
-  level: extended
-  name: resources.chi2
+threat.enrichments.indicator.geo.country_name:
+  dashed_name: threat-enrichments-indicator-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: threat.enrichments.indicator.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
   normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
-  type: long
-threat.enrichments.indicator.pe.resources.entropy:
-  dashed_name: threat-enrichments-indicator-pe-resources-entropy
-  description: Measurement of entropy randomness in the resources section.
-  example: 0, 1
-  flat_name: threat.enrichments.indicator.pe.resources.entropy
-  level: extended
-  name: resources.entropy
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+threat.enrichments.indicator.geo.location:
+  dashed_name: threat-enrichments-indicator-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: threat.enrichments.indicator.geo.location
+  level: core
+  name: location
   normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the resources section.
-  type: long
-threat.enrichments.indicator.pe.resources.filetype:
-  dashed_name: threat-enrichments-indicator-pe-resources-filetype
-  description: File type of the resources section.
-  example: Data
-  flat_name: threat.enrichments.indicator.pe.resources.filetype
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+threat.enrichments.indicator.geo.name:
+  dashed_name: threat-enrichments-indicator-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: threat.enrichments.indicator.geo.name
   ignore_above: 1024
   level: extended
-  name: resources.filetype
+  name: name
   normalize: []
-  original_fieldset: pe
-  short: File type of the resources section.
+  original_fieldset: geo
+  short: User-defined description of a location.
   type: keyword
-threat.enrichments.indicator.pe.resources.language:
-  dashed_name: threat-enrichments-indicator-pe-resources-language
-  description: Language identification.
-  example: CHINESE SIMPLIFIED
-  flat_name: threat.enrichments.indicator.pe.resources.language
+threat.enrichments.indicator.geo.postal_code:
+  dashed_name: threat-enrichments-indicator-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: threat.enrichments.indicator.geo.postal_code
   ignore_above: 1024
-  level: extended
-  name: resources.language
+  level: core
+  name: postal_code
   normalize: []
-  original_fieldset: pe
-  short: Language identification.
+  original_fieldset: geo
+  short: Postal code.
   type: keyword
-threat.enrichments.indicator.pe.resources.sha256:
-  dashed_name: threat-enrichments-indicator-pe-resources-sha256
-  description: SHA256 hash of resources section.
-  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-  flat_name: threat.enrichments.indicator.pe.resources.sha256
+threat.enrichments.indicator.geo.region_iso_code:
+  dashed_name: threat-enrichments-indicator-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: threat.enrichments.indicator.geo.region_iso_code
   ignore_above: 1024
-  level: extended
-  name: resources.sha256
+  level: core
+  name: region_iso_code
   normalize: []
-  original_fieldset: pe
-  short: SHA256 hash of resources section.
+  original_fieldset: geo
+  short: Region ISO code.
   type: keyword
-threat.enrichments.indicator.pe.resources.type:
-  dashed_name: threat-enrichments-indicator-pe-resources-type
-  description: Digest of resource types.
-  example: '["RT_VERSION", "RT_MANIFEST"]'
-  flat_name: threat.enrichments.indicator.pe.resources.type
+threat.enrichments.indicator.geo.region_name:
+  dashed_name: threat-enrichments-indicator-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: threat.enrichments.indicator.geo.region_name
   ignore_above: 1024
-  level: extended
-  name: resources.type
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of resource types.
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
   type: keyword
-threat.enrichments.indicator.pe.rich_header.hash.md5:
-  dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5
-  description: MD5 hash of the header for the PE file.
-  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-  flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5
+threat.enrichments.indicator.geo.timezone:
+  dashed_name: threat-enrichments-indicator-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: threat.enrichments.indicator.geo.timezone
   ignore_above: 1024
-  level: extended
-  name: rich_header.hash.md5
+  level: core
+  name: timezone
   normalize: []
-  original_fieldset: pe
-  short: MD5 hash of the header for the PE file.
+  original_fieldset: geo
+  short: Time zone.
   type: keyword
-threat.enrichments.indicator.pe.sections:
-  dashed_name: threat-enrichments-indicator-pe-sections
-  description: Data about sections of compiled binary PE
-  flat_name: threat.enrichments.indicator.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Data about sections of the compiled binary PE
-  type: nested
-threat.enrichments.indicator.pe.sections.chi2:
-  dashed_name: threat-enrichments-indicator-pe-sections-chi2
-  description: Chi-square probability distribution.
-  example: 3027194
-  flat_name: threat.enrichments.indicator.pe.sections.chi2
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
-  type: long
-threat.enrichments.indicator.pe.sections.entropy:
-  dashed_name: threat-enrichments-indicator-pe-sections-entropy
-  description: Measurement of entropy randomness in the file.
-  example: 6.24
-  flat_name: threat.enrichments.indicator.pe.sections.entropy
+threat.enrichments.indicator.ip:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-ip
+  description: Identifies a threat indicator as an IP address (irrespective of direction).
+  example: 1.2.3.4
+  flat_name: threat.enrichments.indicator.ip
   level: extended
-  name: sections.entropy
+  name: enrichments.indicator.ip
   normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the file.
-  type: float
-threat.enrichments.indicator.pe.sections.flags:
-  dashed_name: threat-enrichments-indicator-pe-sections-flags
-  description: Section flags of the file.
-  example: rx
-  flat_name: threat.enrichments.indicator.pe.sections.flags
-  ignore_above: 1024
+  short: Indicator IP address
+  type: ip
+threat.enrichments.indicator.last_seen:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-last-seen
+  description: The date and time when intelligence source last reported sighting this
+    indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.last_seen
   level: extended
-  name: sections.flags
+  name: enrichments.indicator.last_seen
   normalize: []
-  original_fieldset: pe
-  short: Section flags of the file.
-  type: keyword
-threat.enrichments.indicator.pe.sections.name:
-  dashed_name: threat-enrichments-indicator-pe-sections-name
-  description: Section names of the file.
-  example: .text, .data
-  flat_name: threat.enrichments.indicator.pe.sections.name
+  short: Date/time indicator was last reported.
+  type: date
+threat.enrichments.indicator.marking.tlp:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-marking-tlp
+  description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
+    \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+  example: White
+  flat_name: threat.enrichments.indicator.marking.tlp
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: enrichments.indicator.marking.tlp
   normalize: []
-  original_fieldset: pe
-  short: Section names of the file.
+  short: Indicator TLP marking
   type: keyword
-threat.enrichments.indicator.pe.sections.raw_size:
-  dashed_name: threat-enrichments-indicator-pe-sections-raw-size
-  description: Size of the section or the dize of the initialized data on disk.
-  example: 198144
-  flat_name: threat.enrichments.indicator.pe.sections.raw_size
-  format: bytes
-  level: extended
-  name: sections.raw_size
-  normalize: []
-  original_fieldset: pe
-  short: Size of the section or the dize of the initialized data on disk.
-  type: long
-threat.enrichments.indicator.pe.sections.virtual_address:
-  dashed_name: threat-enrichments-indicator-pe-sections-virtual-address
-  description: Virtual address available to the file.
-  example: 8192
-  flat_name: threat.enrichments.indicator.pe.sections.virtual_address
-  format: bytes
+threat.enrichments.indicator.modified_at:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-modified-at
+  description: The date and time when intelligence source last modified information
+    for this indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.modified_at
   level: extended
-  name: sections.virtual_address
+  name: enrichments.indicator.modified_at
   normalize: []
-  original_fieldset: pe
-  short: Virtual address available to the file.
-  type: long
+  short: Date/time indicator was last updated.
+  type: date
 threat.enrichments.indicator.port:
   beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-port
@@ -15173,6 +13751,16 @@ threat.enrichments.matched.index:
   normalize: []
   short: Matched indicator index
   type: keyword
+threat.enrichments.matched.occurred:
+  dashed_name: threat-enrichments-matched-occurred
+  description: Indicates when the indicator match was generated
+  example: 2021-10-05 17:00:58.326000+00:00
+  flat_name: threat.enrichments.matched.occurred
+  level: extended
+  name: enrichments.matched.occurred
+  normalize: []
+  short: Date of match
+  type: date
 threat.enrichments.matched.type:
   beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-type
@@ -15928,6 +14516,61 @@ threat.indicator.file.group:
   original_fieldset: file
   short: Primary group name of the file.
   type: keyword
+threat.indicator.file.hash.md5:
+  dashed_name: threat-indicator-file-hash-md5
+  description: MD5 hash.
+  flat_name: threat.indicator.file.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+threat.indicator.file.hash.sha1:
+  dashed_name: threat-indicator-file-hash-sha1
+  description: SHA1 hash.
+  flat_name: threat.indicator.file.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+threat.indicator.file.hash.sha256:
+  dashed_name: threat-indicator-file-hash-sha256
+  description: SHA256 hash.
+  flat_name: threat.indicator.file.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+threat.indicator.file.hash.sha512:
+  dashed_name: threat-indicator-file-hash-sha512
+  description: SHA512 hash.
+  flat_name: threat.indicator.file.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+threat.indicator.file.hash.ssdeep:
+  dashed_name: threat-indicator-file-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: threat.indicator.file.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 threat.indicator.file.inode:
   dashed_name: threat-indicator-file-inode
   description: Inode representing the file in the filesystem.
@@ -15983,801 +14626,1052 @@ threat.indicator.file.name:
   flat_name: threat.indicator.file.name
   ignore_above: 1024
   level: extended
-  name: name
+  name: name
+  normalize: []
+  original_fieldset: file
+  short: Name of the file including the extension, without the directory.
+  type: keyword
+threat.indicator.file.owner:
+  dashed_name: threat-indicator-file-owner
+  description: File owner's username.
+  example: alice
+  flat_name: threat.indicator.file.owner
+  ignore_above: 1024
+  level: extended
+  name: owner
+  normalize: []
+  original_fieldset: file
+  short: File owner's username.
+  type: keyword
+threat.indicator.file.path:
+  dashed_name: threat-indicator-file-path
+  description: Full path to the file, including the file name. It should include the
+    drive letter, when appropriate.
+  example: /home/alice/example.png
+  flat_name: threat.indicator.file.path
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: threat.indicator.file.path.text
+    name: text
+    type: match_only_text
+  name: path
+  normalize: []
+  original_fieldset: file
+  short: Full path to the file, including the file name.
+  type: keyword
+threat.indicator.file.pe.architecture:
+  dashed_name: threat-indicator-file-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: threat.indicator.file.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+threat.indicator.file.pe.authentihash:
+  dashed_name: threat-indicator-file-pe-authentihash
+  description: Authentihash of the PE file.
+  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+  flat_name: threat.indicator.file.pe.authentihash
+  ignore_above: 1024
+  level: extended
+  name: authentihash
+  normalize: []
+  original_fieldset: pe
+  short: Authentihash of the PE file.
+  type: keyword
+threat.indicator.file.pe.company:
+  dashed_name: threat-indicator-file-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: threat.indicator.file.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+threat.indicator.file.pe.compile_timestamp:
+  dashed_name: threat-indicator-file-pe-compile-timestamp
+  description: Compile timestamp of the PE file.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.file.pe.compile_timestamp
+  level: extended
+  name: compile_timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Compile timestamp of the PE file.
+  type: date
+threat.indicator.file.pe.compiler.name:
+  dashed_name: threat-indicator-file-pe-compiler-name
+  description: Name of the compiler
+  example: Clang
+  flat_name: threat.indicator.file.pe.compiler.name
+  ignore_above: 1024
+  level: extended
+  name: compiler.name
+  normalize: []
+  original_fieldset: pe
+  short: Name of the compiler
+  type: keyword
+threat.indicator.file.pe.compiler.version:
+  dashed_name: threat-indicator-file-pe-compiler-version
+  description: Version of the compiler.
+  example: 11.0.0
+  flat_name: threat.indicator.file.pe.compiler.version
+  ignore_above: 1024
+  level: extended
+  name: compiler.version
+  normalize: []
+  original_fieldset: pe
+  short: Version of the compiler.
+  type: keyword
+threat.indicator.file.pe.creation_date:
+  dashed_name: threat-indicator-file-pe-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.file.pe.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: pe
+  short: Build or compile date.
+  type: date
+threat.indicator.file.pe.debug:
+  dashed_name: threat-indicator-file-pe-debug
+  description: 'An array containing an object for each debug entry, if present.
+
+    The expected fields for this nested object fall under the `debug.` prefix.'
+  flat_name: threat.indicator.file.pe.debug
+  level: extended
+  name: debug
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Debug information
+  type: nested
+threat.indicator.file.pe.debug.offset:
+  dashed_name: threat-indicator-file-pe-debug-offset
+  description: Debug offset information.
+  example: 1296336
+  flat_name: threat.indicator.file.pe.debug.offset
+  ignore_above: 1024
+  level: extended
+  name: debug.offset
+  normalize: []
+  original_fieldset: pe
+  short: Debug offset information.
+  type: keyword
+threat.indicator.file.pe.debug.size:
+  dashed_name: threat-indicator-file-pe-debug-size
+  description: Size of the debug information.
+  example: 816
+  flat_name: threat.indicator.file.pe.debug.size
+  format: bytes
+  level: extended
+  name: debug.size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the debug information.
+  type: long
+threat.indicator.file.pe.debug.timestamp:
+  dashed_name: threat-indicator-file-pe-debug-timestamp
+  description: Timestamp of the debug information.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.file.pe.debug.timestamp
+  level: extended
+  name: debug.timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Timestamp of the debug information.
+  type: date
+threat.indicator.file.pe.debug.type:
+  dashed_name: threat-indicator-file-pe-debug-type
+  description: Information type generated by the debug options.
+  example: IMAGE_DEBUG_TYPE_POGO
+  flat_name: threat.indicator.file.pe.debug.type
+  ignore_above: 1024
+  level: extended
+  name: debug.type
+  normalize: []
+  original_fieldset: pe
+  short: Information type generated by the debug options.
+  type: keyword
+threat.indicator.file.pe.description:
+  dashed_name: threat-indicator-file-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: threat.indicator.file.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+threat.indicator.file.pe.entry_point:
+  dashed_name: threat-indicator-file-pe-entry-point
+  description: Relative byte offset to the base of the PE file.
+  example: 25856
+  flat_name: threat.indicator.file.pe.entry_point
+  ignore_above: 1024
+  level: extended
+  name: entry_point
+  normalize: []
+  original_fieldset: pe
+  short: Relative byte offset to the base of the PE file.
+  type: keyword
+threat.indicator.file.pe.exports:
+  dashed_name: threat-indicator-file-pe-exports
+  description: List of symbols exported by PE
+  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+  flat_name: threat.indicator.file.pe.exports
+  ignore_above: 1024
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of symbols exported by PE
+  type: keyword
+threat.indicator.file.pe.file_version:
+  dashed_name: threat-indicator-file-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: threat.indicator.file.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
   normalize: []
-  original_fieldset: file
-  short: Name of the file including the extension, without the directory.
+  original_fieldset: pe
+  short: Process name.
   type: keyword
-threat.indicator.file.owner:
-  dashed_name: threat-indicator-file-owner
-  description: File owner's username.
-  example: alice
-  flat_name: threat.indicator.file.owner
+threat.indicator.file.pe.icon.hash.dhash:
+  dashed_name: threat-indicator-file-pe-icon-hash-dhash
+  description: Difference Hash (dhash) to find files with a visually similar icon
+    or thumbnail.
+  example: b806e17c8e330d82
+  flat_name: threat.indicator.file.pe.icon.hash.dhash
   ignore_above: 1024
   level: extended
-  name: owner
+  name: icon.hash.dhash
   normalize: []
-  original_fieldset: file
-  short: File owner's username.
+  original_fieldset: pe
+  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
   type: keyword
-threat.indicator.file.path:
-  dashed_name: threat-indicator-file-path
-  description: Full path to the file, including the file name. It should include the
-    drive letter, when appropriate.
-  example: /home/alice/example.png
-  flat_name: threat.indicator.file.path
+threat.indicator.file.pe.imphash:
+  dashed_name: threat-indicator-file-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: threat.indicator.file.pe.imphash
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: threat.indicator.file.path.text
-    name: text
-    type: match_only_text
-  name: path
+  name: imphash
   normalize: []
-  original_fieldset: file
-  short: Full path to the file, including the file name.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-threat.indicator.file.size:
-  dashed_name: threat-indicator-file-size
-  description: 'File size in bytes.
-
-    Only relevant when `file.type` is "file".'
-  example: 16384
-  flat_name: threat.indicator.file.size
+threat.indicator.file.pe.imports:
+  dashed_name: threat-indicator-file-pe-imports
+  description: List of all imported functions
+  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+    }'
+  flat_name: threat.indicator.file.pe.imports
   level: extended
-  name: size
+  name: imports
   normalize: []
-  original_fieldset: file
-  short: File size in bytes.
-  type: long
-threat.indicator.file.target_path:
-  dashed_name: threat-indicator-file-target-path
-  description: Target path for symlinks.
-  flat_name: threat.indicator.file.target_path
+  original_fieldset: pe
+  short: List of all imported functions
+  type: flattened
+threat.indicator.file.pe.machine_type:
+  dashed_name: threat-indicator-file-pe-machine-type
+  description: Machine type of the PE file.
+  example: Intel 386 or later, and compatibles
+  flat_name: threat.indicator.file.pe.machine_type
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: threat.indicator.file.target_path.text
-    name: text
-    type: match_only_text
-  name: target_path
+  name: machine_type
   normalize: []
-  original_fieldset: file
-  short: Target path for symlinks.
+  original_fieldset: pe
+  short: Machine type of the PE file.
   type: keyword
-threat.indicator.file.type:
-  dashed_name: threat-indicator-file-type
-  description: File type (file, dir, or symlink).
-  example: file
-  flat_name: threat.indicator.file.type
+threat.indicator.file.pe.original_file_name:
+  dashed_name: threat-indicator-file-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: threat.indicator.file.pe.original_file_name
   ignore_above: 1024
   level: extended
-  name: type
+  name: original_file_name
   normalize: []
-  original_fieldset: file
-  short: File type (file, dir, or symlink).
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
   type: keyword
-threat.indicator.file.uid:
-  dashed_name: threat-indicator-file-uid
-  description: The user ID (UID) or security identifier (SID) of the file owner.
-  example: '1001'
-  flat_name: threat.indicator.file.uid
+threat.indicator.file.pe.packers:
+  dashed_name: threat-indicator-file-pe-packers
+  description: List of packers and tools used.
+  example: '["ASPack v2.12", ".NET executable"]'
+  flat_name: threat.indicator.file.pe.packers
   ignore_above: 1024
   level: extended
-  name: uid
+  name: packers
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of packers and tools used.
+  type: keyword
+threat.indicator.file.pe.product:
+  dashed_name: threat-indicator-file-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: threat.indicator.file.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
   normalize: []
-  original_fieldset: file
-  short: The user ID (UID) or security identifier (SID) of the file owner.
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
   type: keyword
-threat.indicator.first_seen:
-  dashed_name: threat-indicator-first-seen
-  description: The date and time when intelligence source first reported sighting
-    this indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.indicator.first_seen
+threat.indicator.file.pe.resources:
+  dashed_name: threat-indicator-file-pe-resources
+  description: 'An array containing an object for each PE resource, if present.
+
+    The expected fields for this nested object fall under the `resources.` prefix.'
+  flat_name: threat.indicator.file.pe.resources
   level: extended
-  name: indicator.first_seen
+  name: resources
+  normalize:
+  - array
+  original_fieldset: pe
+  short: PE resource information
+  type: nested
+threat.indicator.file.pe.resources.chi2:
+  dashed_name: threat-indicator-file-pe-resources-chi2
+  description: Chi-square probability distribution.
+  example: -1
+  flat_name: threat.indicator.file.pe.resources.chi2
+  level: extended
+  name: resources.chi2
   normalize: []
-  short: Date/time indicator was first reported.
-  type: date
-threat.indicator.geo.city_name:
-  dashed_name: threat-indicator-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: threat.indicator.geo.city_name
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+threat.indicator.file.pe.resources.entropy:
+  dashed_name: threat-indicator-file-pe-resources-entropy
+  description: Measurement of entropy randomness in the resources section.
+  example: 0, 1
+  flat_name: threat.indicator.file.pe.resources.entropy
+  level: extended
+  name: resources.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the resources section.
+  type: long
+threat.indicator.file.pe.resources.filetype:
+  dashed_name: threat-indicator-file-pe-resources-filetype
+  description: File type of the resources section.
+  example: Data
+  flat_name: threat.indicator.file.pe.resources.filetype
   ignore_above: 1024
-  level: core
-  name: city_name
+  level: extended
+  name: resources.filetype
   normalize: []
-  original_fieldset: geo
-  short: City name.
+  original_fieldset: pe
+  short: File type of the resources section.
   type: keyword
-threat.indicator.geo.continent_code:
-  dashed_name: threat-indicator-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: threat.indicator.geo.continent_code
+threat.indicator.file.pe.resources.language:
+  dashed_name: threat-indicator-file-pe-resources-language
+  description: Language identification.
+  example: CHINESE SIMPLIFIED
+  flat_name: threat.indicator.file.pe.resources.language
   ignore_above: 1024
-  level: core
-  name: continent_code
+  level: extended
+  name: resources.language
   normalize: []
-  original_fieldset: geo
-  short: Continent code.
+  original_fieldset: pe
+  short: Language identification.
   type: keyword
-threat.indicator.geo.continent_name:
-  dashed_name: threat-indicator-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: threat.indicator.geo.continent_name
+threat.indicator.file.pe.resources.sha256:
+  dashed_name: threat-indicator-file-pe-resources-sha256
+  description: SHA256 hash of resources section.
+  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  flat_name: threat.indicator.file.pe.resources.sha256
   ignore_above: 1024
-  level: core
-  name: continent_name
+  level: extended
+  name: resources.sha256
   normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
+  original_fieldset: pe
+  short: SHA256 hash of resources section.
   type: keyword
-threat.indicator.geo.country_iso_code:
-  dashed_name: threat-indicator-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: threat.indicator.geo.country_iso_code
+threat.indicator.file.pe.resources.type:
+  dashed_name: threat-indicator-file-pe-resources-type
+  description: Digest of resource types.
+  example: '["RT_VERSION", "RT_MANIFEST"]'
+  flat_name: threat.indicator.file.pe.resources.type
   ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
+  level: extended
+  name: resources.type
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of resource types.
   type: keyword
-threat.indicator.geo.country_name:
-  dashed_name: threat-indicator-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: threat.indicator.geo.country_name
+threat.indicator.file.pe.rich_header.hash.md5:
+  dashed_name: threat-indicator-file-pe-rich-header-hash-md5
+  description: MD5 hash of the header for the PE file.
+  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+  flat_name: threat.indicator.file.pe.rich_header.hash.md5
   ignore_above: 1024
-  level: core
-  name: country_name
+  level: extended
+  name: rich_header.hash.md5
   normalize: []
-  original_fieldset: geo
-  short: Country name.
+  original_fieldset: pe
+  short: MD5 hash of the header for the PE file.
   type: keyword
-threat.indicator.geo.location:
-  dashed_name: threat-indicator-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: threat.indicator.geo.location
-  level: core
-  name: location
+threat.indicator.file.pe.sections:
+  dashed_name: threat-indicator-file-pe-sections
+  description: Data about sections of compiled binary PE
+  flat_name: threat.indicator.file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Data about sections of the compiled binary PE
+  type: nested
+threat.indicator.file.pe.sections.chi2:
+  dashed_name: threat-indicator-file-pe-sections-chi2
+  description: Chi-square probability distribution.
+  example: 3027194
+  flat_name: threat.indicator.file.pe.sections.chi2
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+threat.indicator.file.pe.sections.entropy:
+  dashed_name: threat-indicator-file-pe-sections-entropy
+  description: Measurement of entropy randomness in the file.
+  example: 6.24
+  flat_name: threat.indicator.file.pe.sections.entropy
+  level: extended
+  name: sections.entropy
   normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-threat.indicator.geo.name:
-  dashed_name: threat-indicator-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: threat.indicator.geo.name
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the file.
+  type: float
+threat.indicator.file.pe.sections.flags:
+  dashed_name: threat-indicator-file-pe-sections-flags
+  description: Section flags of the file.
+  example: rx
+  flat_name: threat.indicator.file.pe.sections.flags
   ignore_above: 1024
   level: extended
-  name: name
+  name: sections.flags
   normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
+  original_fieldset: pe
+  short: Section flags of the file.
   type: keyword
-threat.indicator.geo.postal_code:
-  dashed_name: threat-indicator-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: threat.indicator.geo.postal_code
+threat.indicator.file.pe.sections.name:
+  dashed_name: threat-indicator-file-pe-sections-name
+  description: Section names of the file.
+  example: .text, .data
+  flat_name: threat.indicator.file.pe.sections.name
   ignore_above: 1024
-  level: core
-  name: postal_code
+  level: extended
+  name: sections.name
   normalize: []
-  original_fieldset: geo
-  short: Postal code.
+  original_fieldset: pe
+  short: Section names of the file.
   type: keyword
-threat.indicator.geo.region_iso_code:
-  dashed_name: threat-indicator-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: threat.indicator.geo.region_iso_code
+threat.indicator.file.pe.sections.raw_size:
+  dashed_name: threat-indicator-file-pe-sections-raw-size
+  description: Size of the section or the dize of the initialized data on disk.
+  example: 198144
+  flat_name: threat.indicator.file.pe.sections.raw_size
+  format: bytes
+  level: extended
+  name: sections.raw_size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the section or the dize of the initialized data on disk.
+  type: long
+threat.indicator.file.pe.sections.virtual_address:
+  dashed_name: threat-indicator-file-pe-sections-virtual-address
+  description: Virtual address available to the file.
+  example: 8192
+  flat_name: threat.indicator.file.pe.sections.virtual_address
+  format: bytes
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: pe
+  short: Virtual address available to the file.
+  type: long
+threat.indicator.file.size:
+  dashed_name: threat-indicator-file-size
+  description: 'File size in bytes.
+
+    Only relevant when `file.type` is "file".'
+  example: 16384
+  flat_name: threat.indicator.file.size
+  level: extended
+  name: size
+  normalize: []
+  original_fieldset: file
+  short: File size in bytes.
+  type: long
+threat.indicator.file.target_path:
+  dashed_name: threat-indicator-file-target-path
+  description: Target path for symlinks.
+  flat_name: threat.indicator.file.target_path
   ignore_above: 1024
-  level: core
-  name: region_iso_code
+  level: extended
+  multi_fields:
+  - flat_name: threat.indicator.file.target_path.text
+    name: text
+    type: match_only_text
+  name: target_path
   normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
+  original_fieldset: file
+  short: Target path for symlinks.
   type: keyword
-threat.indicator.geo.region_name:
-  dashed_name: threat-indicator-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: threat.indicator.geo.region_name
+threat.indicator.file.type:
+  dashed_name: threat-indicator-file-type
+  description: File type (file, dir, or symlink).
+  example: file
+  flat_name: threat.indicator.file.type
   ignore_above: 1024
-  level: core
-  name: region_name
+  level: extended
+  name: type
   normalize: []
-  original_fieldset: geo
-  short: Region name.
+  original_fieldset: file
+  short: File type (file, dir, or symlink).
   type: keyword
-threat.indicator.geo.timezone:
-  dashed_name: threat-indicator-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: threat.indicator.geo.timezone
+threat.indicator.file.uid:
+  dashed_name: threat-indicator-file-uid
+  description: The user ID (UID) or security identifier (SID) of the file owner.
+  example: '1001'
+  flat_name: threat.indicator.file.uid
   ignore_above: 1024
-  level: core
-  name: timezone
+  level: extended
+  name: uid
   normalize: []
-  original_fieldset: geo
-  short: Time zone.
+  original_fieldset: file
+  short: The user ID (UID) or security identifier (SID) of the file owner.
   type: keyword
-threat.indicator.hash.md5:
-  dashed_name: threat-indicator-hash-md5
-  description: MD5 hash.
-  flat_name: threat.indicator.hash.md5
+threat.indicator.file.x509.alternative_names:
+  dashed_name: threat-indicator-file-x509-alternative-names
+  description: List of subject alternative names (SAN). Name types vary by certificate
+    authority and certificate type but commonly contain IP addresses, DNS names (and
+    wildcards), and email addresses.
+  example: '*.elastic.co'
+  flat_name: threat.indicator.file.x509.alternative_names
   ignore_above: 1024
   level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
+  name: alternative_names
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of subject alternative names (SAN).
   type: keyword
-threat.indicator.hash.sha1:
-  dashed_name: threat-indicator-hash-sha1
-  description: SHA1 hash.
-  flat_name: threat.indicator.hash.sha1
+threat.indicator.file.x509.issuer.common_name:
+  dashed_name: threat-indicator-file-x509-issuer-common-name
+  description: List of common name (CN) of issuing certificate authority.
+  example: Example SHA2 High Assurance Server CA
+  flat_name: threat.indicator.file.x509.issuer.common_name
   ignore_above: 1024
   level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
+  name: issuer.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common name (CN) of issuing certificate authority.
   type: keyword
-threat.indicator.hash.sha256:
-  dashed_name: threat-indicator-hash-sha256
-  description: SHA256 hash.
-  flat_name: threat.indicator.hash.sha256
+threat.indicator.file.x509.issuer.country:
+  dashed_name: threat-indicator-file-x509-issuer-country
+  description: List of country (C) codes
+  example: US
+  flat_name: threat.indicator.file.x509.issuer.country
   ignore_above: 1024
   level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
+  name: issuer.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) codes
   type: keyword
-threat.indicator.hash.sha512:
-  dashed_name: threat-indicator-hash-sha512
-  description: SHA512 hash.
-  flat_name: threat.indicator.hash.sha512
+threat.indicator.file.x509.issuer.distinguished_name:
+  dashed_name: threat-indicator-file-x509-issuer-distinguished-name
+  description: Distinguished name (DN) of issuing certificate authority.
+  example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+    Server CA
+  flat_name: threat.indicator.file.x509.issuer.distinguished_name
   ignore_above: 1024
   level: extended
-  name: sha512
+  name: issuer.distinguished_name
   normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
+  original_fieldset: x509
+  short: Distinguished name (DN) of issuing certificate authority.
   type: keyword
-threat.indicator.hash.ssdeep:
-  dashed_name: threat-indicator-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: threat.indicator.hash.ssdeep
+threat.indicator.file.x509.issuer.locality:
+  dashed_name: threat-indicator-file-x509-issuer-locality
+  description: List of locality names (L)
+  example: Mountain View
+  flat_name: threat.indicator.file.x509.issuer.locality
   ignore_above: 1024
   level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
+  name: issuer.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
   type: keyword
-threat.indicator.ip:
-  dashed_name: threat-indicator-ip
-  description: Identifies a threat indicator as an IP address (irrespective of direction).
-  example: 1.2.3.4
-  flat_name: threat.indicator.ip
+threat.indicator.file.x509.issuer.organization:
+  dashed_name: threat-indicator-file-x509-issuer-organization
+  description: List of organizations (O) of issuing certificate authority.
+  example: Example Inc
+  flat_name: threat.indicator.file.x509.issuer.organization
+  ignore_above: 1024
   level: extended
-  name: indicator.ip
-  normalize: []
-  short: Indicator IP address
-  type: ip
-threat.indicator.last_seen:
-  dashed_name: threat-indicator-last-seen
-  description: The date and time when intelligence source last reported sighting this
-    indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.indicator.last_seen
+  name: issuer.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of issuing certificate authority.
+  type: keyword
+threat.indicator.file.x509.issuer.organizational_unit:
+  dashed_name: threat-indicator-file-x509-issuer-organizational-unit
+  description: List of organizational units (OU) of issuing certificate authority.
+  example: www.example.com
+  flat_name: threat.indicator.file.x509.issuer.organizational_unit
+  ignore_above: 1024
   level: extended
-  name: indicator.last_seen
-  normalize: []
-  short: Date/time indicator was last reported.
-  type: date
-threat.indicator.marking.tlp:
-  dashed_name: threat-indicator-marking-tlp
-  description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
-    \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-  example: WHITE
-  flat_name: threat.indicator.marking.tlp
+  name: issuer.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of issuing certificate authority.
+  type: keyword
+threat.indicator.file.x509.issuer.state_or_province:
+  dashed_name: threat-indicator-file-x509-issuer-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.indicator.file.x509.issuer.state_or_province
   ignore_above: 1024
   level: extended
-  name: indicator.marking.tlp
-  normalize: []
-  short: Indicator TLP marking
+  name: issuer.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
   type: keyword
-threat.indicator.modified_at:
-  dashed_name: threat-indicator-modified-at
-  description: The date and time when intelligence source last modified information
-    for this indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.indicator.modified_at
+threat.indicator.file.x509.not_after:
+  dashed_name: threat-indicator-file-x509-not-after
+  description: Time at which the certificate is no longer considered valid.
+  example: 2020-07-16 03:15:39+00:00
+  flat_name: threat.indicator.file.x509.not_after
+  level: extended
+  name: not_after
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is no longer considered valid.
+  type: date
+threat.indicator.file.x509.not_before:
+  dashed_name: threat-indicator-file-x509-not-before
+  description: Time at which the certificate is first considered valid.
+  example: 2019-08-16 01:40:25+00:00
+  flat_name: threat.indicator.file.x509.not_before
   level: extended
-  name: indicator.modified_at
+  name: not_before
   normalize: []
-  short: Date/time indicator was last updated.
+  original_fieldset: x509
+  short: Time at which the certificate is first considered valid.
   type: date
-threat.indicator.pe.architecture:
-  dashed_name: threat-indicator-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: threat.indicator.pe.architecture
+threat.indicator.file.x509.public_key_algorithm:
+  dashed_name: threat-indicator-file-x509-public-key-algorithm
+  description: Algorithm used to generate the public key.
+  example: RSA
+  flat_name: threat.indicator.file.x509.public_key_algorithm
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: public_key_algorithm
   normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  original_fieldset: x509
+  short: Algorithm used to generate the public key.
   type: keyword
-threat.indicator.pe.authentihash:
-  dashed_name: threat-indicator-pe-authentihash
-  description: Authentihash of the PE file.
-  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-  flat_name: threat.indicator.pe.authentihash
+threat.indicator.file.x509.public_key_curve:
+  dashed_name: threat-indicator-file-x509-public-key-curve
+  description: The curve used by the elliptic curve public key algorithm. This is
+    algorithm specific.
+  example: nistp521
+  flat_name: threat.indicator.file.x509.public_key_curve
   ignore_above: 1024
   level: extended
-  name: authentihash
+  name: public_key_curve
   normalize: []
-  original_fieldset: pe
-  short: Authentihash of the PE file.
+  original_fieldset: x509
+  short: The curve used by the elliptic curve public key algorithm. This is algorithm
+    specific.
   type: keyword
-threat.indicator.pe.company:
-  dashed_name: threat-indicator-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: threat.indicator.pe.company
-  ignore_above: 1024
+threat.indicator.file.x509.public_key_exponent:
+  dashed_name: threat-indicator-file-x509-public-key-exponent
+  description: Exponent used to derive the public key. This is algorithm specific.
+  doc_values: false
+  example: 65537
+  flat_name: threat.indicator.file.x509.public_key_exponent
+  index: false
   level: extended
-  name: company
+  name: public_key_exponent
   normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-threat.indicator.pe.compile_timestamp:
-  dashed_name: threat-indicator-pe-compile-timestamp
-  description: Compile timestamp of the PE file.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.indicator.pe.compile_timestamp
+  original_fieldset: x509
+  short: Exponent used to derive the public key. This is algorithm specific.
+  type: long
+threat.indicator.file.x509.public_key_size:
+  dashed_name: threat-indicator-file-x509-public-key-size
+  description: The size of the public key space in bits.
+  example: 2048
+  flat_name: threat.indicator.file.x509.public_key_size
   level: extended
-  name: compile_timestamp
+  name: public_key_size
   normalize: []
-  original_fieldset: pe
-  short: Compile timestamp of the PE file.
-  type: date
-threat.indicator.pe.compiler.name:
-  dashed_name: threat-indicator-pe-compiler-name
-  description: Name of the compiler
-  example: Clang
-  flat_name: threat.indicator.pe.compiler.name
+  original_fieldset: x509
+  short: The size of the public key space in bits.
+  type: long
+threat.indicator.file.x509.serial_number:
+  dashed_name: threat-indicator-file-x509-serial-number
+  description: Unique serial number issued by the certificate authority. For consistency,
+    if this value is alphanumeric, it should be formatted without colons and uppercase
+    characters.
+  example: 55FBB9C7DEBF09809D12CCAA
+  flat_name: threat.indicator.file.x509.serial_number
   ignore_above: 1024
   level: extended
-  name: compiler.name
+  name: serial_number
   normalize: []
-  original_fieldset: pe
-  short: Name of the compiler
+  original_fieldset: x509
+  short: Unique serial number issued by the certificate authority.
   type: keyword
-threat.indicator.pe.compiler.version:
-  dashed_name: threat-indicator-pe-compiler-version
-  description: Version of the compiler.
-  example: 11.0.0
-  flat_name: threat.indicator.pe.compiler.version
+threat.indicator.file.x509.signature_algorithm:
+  dashed_name: threat-indicator-file-x509-signature-algorithm
+  description: Identifier for certificate signature algorithm. We recommend using
+    names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+  example: SHA256-RSA
+  flat_name: threat.indicator.file.x509.signature_algorithm
   ignore_above: 1024
   level: extended
-  name: compiler.version
+  name: signature_algorithm
   normalize: []
-  original_fieldset: pe
-  short: Version of the compiler.
+  original_fieldset: x509
+  short: Identifier for certificate signature algorithm.
   type: keyword
-threat.indicator.pe.creation_date:
-  dashed_name: threat-indicator-pe-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.indicator.pe.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: pe
-  short: Build or compile date.
-  type: date
-threat.indicator.pe.debug:
-  dashed_name: threat-indicator-pe-debug
-  description: 'An array containing an object for each debug entry, if present.
-
-    The expected fields for this nested object fall under the `debug.` prefix.'
-  flat_name: threat.indicator.pe.debug
+threat.indicator.file.x509.subject.common_name:
+  dashed_name: threat-indicator-file-x509-subject-common-name
+  description: List of common names (CN) of subject.
+  example: shared.global.example.net
+  flat_name: threat.indicator.file.x509.subject.common_name
+  ignore_above: 1024
   level: extended
-  name: debug
+  name: subject.common_name
   normalize:
   - array
-  original_fieldset: pe
-  short: Debug information
-  type: nested
-threat.indicator.pe.debug.offset:
-  dashed_name: threat-indicator-pe-debug-offset
-  description: Debug offset information.
-  example: 1296336
-  flat_name: threat.indicator.pe.debug.offset
-  ignore_above: 1024
-  level: extended
-  name: debug.offset
-  normalize: []
-  original_fieldset: pe
-  short: Debug offset information.
+  original_fieldset: x509
+  short: List of common names (CN) of subject.
   type: keyword
-threat.indicator.pe.debug.size:
-  dashed_name: threat-indicator-pe-debug-size
-  description: Size of the debug information.
-  example: 816
-  flat_name: threat.indicator.pe.debug.size
-  format: bytes
-  level: extended
-  name: debug.size
-  normalize: []
-  original_fieldset: pe
-  short: Size of the debug information.
-  type: long
-threat.indicator.pe.debug.timestamp:
-  dashed_name: threat-indicator-pe-debug-timestamp
-  description: Timestamp of the debug information.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.indicator.pe.debug.timestamp
-  level: extended
-  name: debug.timestamp
-  normalize: []
-  original_fieldset: pe
-  short: Timestamp of the debug information.
-  type: date
-threat.indicator.pe.debug.type:
-  dashed_name: threat-indicator-pe-debug-type
-  description: Information type generated by the debug options.
-  example: IMAGE_DEBUG_TYPE_POGO
-  flat_name: threat.indicator.pe.debug.type
+threat.indicator.file.x509.subject.country:
+  dashed_name: threat-indicator-file-x509-subject-country
+  description: List of country (C) code
+  example: US
+  flat_name: threat.indicator.file.x509.subject.country
   ignore_above: 1024
   level: extended
-  name: debug.type
-  normalize: []
-  original_fieldset: pe
-  short: Information type generated by the debug options.
+  name: subject.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) code
   type: keyword
-threat.indicator.pe.description:
-  dashed_name: threat-indicator-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: threat.indicator.pe.description
+threat.indicator.file.x509.subject.distinguished_name:
+  dashed_name: threat-indicator-file-x509-subject-distinguished-name
+  description: Distinguished name (DN) of the certificate subject entity.
+  example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+  flat_name: threat.indicator.file.x509.subject.distinguished_name
   ignore_above: 1024
   level: extended
-  name: description
+  name: subject.distinguished_name
   normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
+  original_fieldset: x509
+  short: Distinguished name (DN) of the certificate subject entity.
   type: keyword
-threat.indicator.pe.entry_point:
-  dashed_name: threat-indicator-pe-entry-point
-  description: Relative byte offset to the base of the PE file.
-  example: 25856
-  flat_name: threat.indicator.pe.entry_point
+threat.indicator.file.x509.subject.locality:
+  dashed_name: threat-indicator-file-x509-subject-locality
+  description: List of locality names (L)
+  example: San Francisco
+  flat_name: threat.indicator.file.x509.subject.locality
   ignore_above: 1024
   level: extended
-  name: entry_point
-  normalize: []
-  original_fieldset: pe
-  short: Relative byte offset to the base of the PE file.
+  name: subject.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
   type: keyword
-threat.indicator.pe.exports:
-  dashed_name: threat-indicator-pe-exports
-  description: List of symbols exported by PE
-  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-  flat_name: threat.indicator.pe.exports
+threat.indicator.file.x509.subject.organization:
+  dashed_name: threat-indicator-file-x509-subject-organization
+  description: List of organizations (O) of subject.
+  example: Example, Inc.
+  flat_name: threat.indicator.file.x509.subject.organization
   ignore_above: 1024
   level: extended
-  name: exports
+  name: subject.organization
   normalize:
   - array
-  original_fieldset: pe
-  short: List of symbols exported by PE
+  original_fieldset: x509
+  short: List of organizations (O) of subject.
   type: keyword
-threat.indicator.pe.file_version:
-  dashed_name: threat-indicator-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: threat.indicator.pe.file_version
+threat.indicator.file.x509.subject.organizational_unit:
+  dashed_name: threat-indicator-file-x509-subject-organizational-unit
+  description: List of organizational units (OU) of subject.
+  flat_name: threat.indicator.file.x509.subject.organizational_unit
   ignore_above: 1024
   level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
+  name: subject.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of subject.
   type: keyword
-threat.indicator.pe.icon.hash.dhash:
-  dashed_name: threat-indicator-pe-icon-hash-dhash
-  description: Difference Hash (dhash) to find files with a visually similar icon
-    or thumbnail.
-  example: b806e17c8e330d82
-  flat_name: threat.indicator.pe.icon.hash.dhash
+threat.indicator.file.x509.subject.state_or_province:
+  dashed_name: threat-indicator-file-x509-subject-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.indicator.file.x509.subject.state_or_province
   ignore_above: 1024
   level: extended
-  name: icon.hash.dhash
-  normalize: []
-  original_fieldset: pe
-  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  name: subject.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
   type: keyword
-threat.indicator.pe.imphash:
-  dashed_name: threat-indicator-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: threat.indicator.pe.imphash
+threat.indicator.file.x509.version_number:
+  dashed_name: threat-indicator-file-x509-version-number
+  description: Version of x509 format.
+  example: 3
+  flat_name: threat.indicator.file.x509.version_number
   ignore_above: 1024
   level: extended
-  name: imphash
+  name: version_number
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: x509
+  short: Version of x509 format.
   type: keyword
-threat.indicator.pe.imports:
-  dashed_name: threat-indicator-pe-imports
-  description: List of all imported functions
-  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-    }'
-  flat_name: threat.indicator.pe.imports
+threat.indicator.first_seen:
+  dashed_name: threat-indicator-first-seen
+  description: The date and time when intelligence source first reported sighting
+    this indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.first_seen
   level: extended
-  name: imports
+  name: indicator.first_seen
   normalize: []
-  original_fieldset: pe
-  short: List of all imported functions
-  type: flattened
-threat.indicator.pe.machine_type:
-  dashed_name: threat-indicator-pe-machine-type
-  description: Machine type of the PE file.
-  example: Intel 386 or later, and compatibles
-  flat_name: threat.indicator.pe.machine_type
+  short: Date/time indicator was first reported.
+  type: date
+threat.indicator.geo.city_name:
+  dashed_name: threat-indicator-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: threat.indicator.geo.city_name
   ignore_above: 1024
-  level: extended
-  name: machine_type
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+threat.indicator.geo.continent_code:
+  dashed_name: threat-indicator-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: threat.indicator.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
   normalize: []
-  original_fieldset: pe
-  short: Machine type of the PE file.
+  original_fieldset: geo
+  short: Continent code.
   type: keyword
-threat.indicator.pe.original_file_name:
-  dashed_name: threat-indicator-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: threat.indicator.pe.original_file_name
+threat.indicator.geo.continent_name:
+  dashed_name: threat-indicator-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: threat.indicator.geo.continent_name
   ignore_above: 1024
-  level: extended
-  name: original_file_name
+  level: core
+  name: continent_name
   normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
+  original_fieldset: geo
+  short: Name of the continent.
   type: keyword
-threat.indicator.pe.packers:
-  dashed_name: threat-indicator-pe-packers
-  description: List of packers and tools used.
-  example: '["ASPack v2.12", ".NET executable"]'
-  flat_name: threat.indicator.pe.packers
+threat.indicator.geo.country_iso_code:
+  dashed_name: threat-indicator-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: threat.indicator.geo.country_iso_code
   ignore_above: 1024
-  level: extended
-  name: packers
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of packers and tools used.
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
   type: keyword
-threat.indicator.pe.product:
-  dashed_name: threat-indicator-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: "Microsoft\xAE Windows\xAE Operating System"
-  flat_name: threat.indicator.pe.product
+threat.indicator.geo.country_name:
+  dashed_name: threat-indicator-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: threat.indicator.geo.country_name
   ignore_above: 1024
-  level: extended
-  name: product
+  level: core
+  name: country_name
   normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
+  original_fieldset: geo
+  short: Country name.
   type: keyword
-threat.indicator.pe.resources:
-  dashed_name: threat-indicator-pe-resources
-  description: 'An array containing an object for each PE resource, if present.
-
-    The expected fields for this nested object fall under the `resources.` prefix.'
-  flat_name: threat.indicator.pe.resources
-  level: extended
-  name: resources
-  normalize:
-  - array
-  original_fieldset: pe
-  short: PE resource information
-  type: nested
-threat.indicator.pe.resources.chi2:
-  dashed_name: threat-indicator-pe-resources-chi2
-  description: Chi-square probability distribution.
-  example: -1
-  flat_name: threat.indicator.pe.resources.chi2
-  level: extended
-  name: resources.chi2
-  normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
-  type: long
-threat.indicator.pe.resources.entropy:
-  dashed_name: threat-indicator-pe-resources-entropy
-  description: Measurement of entropy randomness in the resources section.
-  example: 0, 1
-  flat_name: threat.indicator.pe.resources.entropy
-  level: extended
-  name: resources.entropy
+threat.indicator.geo.location:
+  dashed_name: threat-indicator-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: threat.indicator.geo.location
+  level: core
+  name: location
   normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the resources section.
-  type: long
-threat.indicator.pe.resources.filetype:
-  dashed_name: threat-indicator-pe-resources-filetype
-  description: File type of the resources section.
-  example: Data
-  flat_name: threat.indicator.pe.resources.filetype
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+threat.indicator.geo.name:
+  dashed_name: threat-indicator-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: threat.indicator.geo.name
   ignore_above: 1024
   level: extended
-  name: resources.filetype
+  name: name
   normalize: []
-  original_fieldset: pe
-  short: File type of the resources section.
+  original_fieldset: geo
+  short: User-defined description of a location.
   type: keyword
-threat.indicator.pe.resources.language:
-  dashed_name: threat-indicator-pe-resources-language
-  description: Language identification.
-  example: CHINESE SIMPLIFIED
-  flat_name: threat.indicator.pe.resources.language
+threat.indicator.geo.postal_code:
+  dashed_name: threat-indicator-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: threat.indicator.geo.postal_code
   ignore_above: 1024
-  level: extended
-  name: resources.language
+  level: core
+  name: postal_code
   normalize: []
-  original_fieldset: pe
-  short: Language identification.
+  original_fieldset: geo
+  short: Postal code.
   type: keyword
-threat.indicator.pe.resources.sha256:
-  dashed_name: threat-indicator-pe-resources-sha256
-  description: SHA256 hash of resources section.
-  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-  flat_name: threat.indicator.pe.resources.sha256
+threat.indicator.geo.region_iso_code:
+  dashed_name: threat-indicator-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: threat.indicator.geo.region_iso_code
   ignore_above: 1024
-  level: extended
-  name: resources.sha256
+  level: core
+  name: region_iso_code
   normalize: []
-  original_fieldset: pe
-  short: SHA256 hash of resources section.
+  original_fieldset: geo
+  short: Region ISO code.
   type: keyword
-threat.indicator.pe.resources.type:
-  dashed_name: threat-indicator-pe-resources-type
-  description: Digest of resource types.
-  example: '["RT_VERSION", "RT_MANIFEST"]'
-  flat_name: threat.indicator.pe.resources.type
+threat.indicator.geo.region_name:
+  dashed_name: threat-indicator-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: threat.indicator.geo.region_name
   ignore_above: 1024
-  level: extended
-  name: resources.type
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of resource types.
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
   type: keyword
-threat.indicator.pe.rich_header.hash.md5:
-  dashed_name: threat-indicator-pe-rich-header-hash-md5
-  description: MD5 hash of the header for the PE file.
-  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-  flat_name: threat.indicator.pe.rich_header.hash.md5
+threat.indicator.geo.timezone:
+  dashed_name: threat-indicator-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: threat.indicator.geo.timezone
   ignore_above: 1024
-  level: extended
-  name: rich_header.hash.md5
+  level: core
+  name: timezone
   normalize: []
-  original_fieldset: pe
-  short: MD5 hash of the header for the PE file.
+  original_fieldset: geo
+  short: Time zone.
   type: keyword
-threat.indicator.pe.sections:
-  dashed_name: threat-indicator-pe-sections
-  description: Data about sections of compiled binary PE
-  flat_name: threat.indicator.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Data about sections of the compiled binary PE
-  type: nested
-threat.indicator.pe.sections.chi2:
-  dashed_name: threat-indicator-pe-sections-chi2
-  description: Chi-square probability distribution.
-  example: 3027194
-  flat_name: threat.indicator.pe.sections.chi2
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: pe
-  short: Chi-square probability distribution.
-  type: long
-threat.indicator.pe.sections.entropy:
-  dashed_name: threat-indicator-pe-sections-entropy
-  description: Measurement of entropy randomness in the file.
-  example: 6.24
-  flat_name: threat.indicator.pe.sections.entropy
+threat.indicator.ip:
+  dashed_name: threat-indicator-ip
+  description: Identifies a threat indicator as an IP address (irrespective of direction).
+  example: 1.2.3.4
+  flat_name: threat.indicator.ip
   level: extended
-  name: sections.entropy
+  name: indicator.ip
   normalize: []
-  original_fieldset: pe
-  short: Measurement of entropy randomness in the file.
-  type: float
-threat.indicator.pe.sections.flags:
-  dashed_name: threat-indicator-pe-sections-flags
-  description: Section flags of the file.
-  example: rx
-  flat_name: threat.indicator.pe.sections.flags
-  ignore_above: 1024
+  short: Indicator IP address
+  type: ip
+threat.indicator.last_seen:
+  dashed_name: threat-indicator-last-seen
+  description: The date and time when intelligence source last reported sighting this
+    indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.last_seen
   level: extended
-  name: sections.flags
+  name: indicator.last_seen
   normalize: []
-  original_fieldset: pe
-  short: Section flags of the file.
-  type: keyword
-threat.indicator.pe.sections.name:
-  dashed_name: threat-indicator-pe-sections-name
-  description: Section names of the file.
-  example: .text, .data
-  flat_name: threat.indicator.pe.sections.name
+  short: Date/time indicator was last reported.
+  type: date
+threat.indicator.marking.tlp:
+  dashed_name: threat-indicator-marking-tlp
+  description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
+    \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+  example: WHITE
+  flat_name: threat.indicator.marking.tlp
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: indicator.marking.tlp
   normalize: []
-  original_fieldset: pe
-  short: Section names of the file.
+  short: Indicator TLP marking
   type: keyword
-threat.indicator.pe.sections.raw_size:
-  dashed_name: threat-indicator-pe-sections-raw-size
-  description: Size of the section or the dize of the initialized data on disk.
-  example: 198144
-  flat_name: threat.indicator.pe.sections.raw_size
-  format: bytes
-  level: extended
-  name: sections.raw_size
-  normalize: []
-  original_fieldset: pe
-  short: Size of the section or the dize of the initialized data on disk.
-  type: long
-threat.indicator.pe.sections.virtual_address:
-  dashed_name: threat-indicator-pe-sections-virtual-address
-  description: Virtual address available to the file.
-  example: 8192
-  flat_name: threat.indicator.pe.sections.virtual_address
-  format: bytes
+threat.indicator.modified_at:
+  dashed_name: threat-indicator-modified-at
+  description: The date and time when intelligence source last modified information
+    for this indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.modified_at
   level: extended
-  name: sections.virtual_address
+  name: indicator.modified_at
   normalize: []
-  original_fieldset: pe
-  short: Virtual address available to the file.
-  type: long
+  short: Date/time indicator was last updated.
+  type: date
 threat.indicator.port:
   dashed_name: threat-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f0eee791fe..964730b939 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -235,6 +235,86 @@ base:
   short: All fields defined directly at the root of the events.
   title: Base
   type: group
+cgroup:
+  description: Fields related to control group (cgroup) metrics. Due to controller
+    changes between V1 and V2, many same or similar metrics will often appear under
+    different controller names. These fields are common to both cgroup versions.
+  fields:
+    cgroup.cpu.periods:
+      dashed_name: cgroup-cpu-periods
+      description: Number of period intervals that have elapsed.
+      example: 454839343
+      flat_name: cgroup.cpu.periods
+      level: extended
+      name: cpu.periods
+      normalize: []
+      short: Number of period intervals that have elapsed.
+      type: long
+    cgroup.cpu.throttled.us:
+      dashed_name: cgroup-cpu-throttled-us
+      description: Microseconds of CPU throttled time.
+      example: 15000
+      flat_name: cgroup.cpu.throttled.us
+      level: extended
+      name: cpu.throttled.us
+      normalize: []
+      short: Microseconds of CPU throttled time.
+      type: long
+    cgroup.cpu.usage:
+      dashed_name: cgroup-cpu-usage
+      description: CPU usage, normalized by the CPU count.
+      flat_name: cgroup.cpu.usage
+      level: extended
+      name: cpu.usage
+      normalize: []
+      scaling_factor: 1000
+      short: CPU usage, normalized by the CPU count.
+      type: scaled_float
+    cgroup.memory.limit:
+      dashed_name: cgroup-memory-limit
+      description: Memory limit within the cgroup.
+      example: 256
+      flat_name: cgroup.memory.limit
+      level: extended
+      name: memory.limit
+      normalize: []
+      short: Memory limit within the cgroup.
+      type: long
+    cgroup.memory.swap.usage:
+      dashed_name: cgroup-memory-swap-usage
+      description: The amount of cgroup memory in swap.
+      example: 5600
+      flat_name: cgroup.memory.swap.usage
+      level: extended
+      name: memory.swap.usage
+      normalize: []
+      short: The amount of cgroup memory in swap.
+      type: long
+    cgroup.memory.usage:
+      dashed_name: cgroup-memory-usage
+      description: Memory usage in bytes
+      example: 25600
+      flat_name: cgroup.memory.usage
+      level: extended
+      name: memory.usage
+      normalize: []
+      short: Memory usage in bytes
+      type: long
+    cgroup.version:
+      dashed_name: cgroup-version
+      description: The cgroup version linked to the metrics
+      flat_name: cgroup.version
+      level: extended
+      name: version
+      normalize: []
+      short: The cgroup version linked to the metrics
+      type: long
+  group: 2
+  name: cgroup
+  prefix: cgroup.
+  short: fields common to cgroups V1 and V2
+  title: Common cgroup metrics
+  type: group
 client:
   description: 'A client is defined as the initiator of a network connection for events
     regarding sessions, connections, or bidirectional flow records.
@@ -804,6 +884,152 @@ cloud:
       normalize: []
       short: Machine type of the host machine.
       type: keyword
+    cloud.origin.account.id:
+      dashed_name: cloud-origin-account-id
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      flat_name: cloud.origin.account.id
+      ignore_above: 1024
+      level: extended
+      name: account.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account or organization id.
+      type: keyword
+    cloud.origin.account.name:
+      dashed_name: cloud-origin-account-name
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      flat_name: cloud.origin.account.name
+      ignore_above: 1024
+      level: extended
+      name: account.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account name.
+      type: keyword
+    cloud.origin.availability_zone:
+      dashed_name: cloud-origin-availability-zone
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      flat_name: cloud.origin.availability_zone
+      ignore_above: 1024
+      level: extended
+      name: availability_zone
+      normalize: []
+      original_fieldset: cloud
+      short: Availability zone in which this host, resource, or service is located.
+      type: keyword
+    cloud.origin.instance.id:
+      dashed_name: cloud-origin-instance-id
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      flat_name: cloud.origin.instance.id
+      ignore_above: 1024
+      level: extended
+      name: instance.id
+      normalize: []
+      original_fieldset: cloud
+      short: Instance ID of the host machine.
+      type: keyword
+    cloud.origin.instance.name:
+      dashed_name: cloud-origin-instance-name
+      description: Instance name of the host machine.
+      flat_name: cloud.origin.instance.name
+      ignore_above: 1024
+      level: extended
+      name: instance.name
+      normalize: []
+      original_fieldset: cloud
+      short: Instance name of the host machine.
+      type: keyword
+    cloud.origin.machine.type:
+      dashed_name: cloud-origin-machine-type
+      description: Machine type of the host machine.
+      example: t2.medium
+      flat_name: cloud.origin.machine.type
+      ignore_above: 1024
+      level: extended
+      name: machine.type
+      normalize: []
+      original_fieldset: cloud
+      short: Machine type of the host machine.
+      type: keyword
+    cloud.origin.project.id:
+      dashed_name: cloud-origin-project-id
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      flat_name: cloud.origin.project.id
+      ignore_above: 1024
+      level: extended
+      name: project.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project id.
+      type: keyword
+    cloud.origin.project.name:
+      dashed_name: cloud-origin-project-name
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      flat_name: cloud.origin.project.name
+      ignore_above: 1024
+      level: extended
+      name: project.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project name.
+      type: keyword
+    cloud.origin.provider:
+      dashed_name: cloud-origin-provider
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      flat_name: cloud.origin.provider
+      ignore_above: 1024
+      level: extended
+      name: provider
+      normalize: []
+      original_fieldset: cloud
+      short: Name of the cloud provider.
+      type: keyword
+    cloud.origin.region:
+      dashed_name: cloud-origin-region
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      flat_name: cloud.origin.region
+      ignore_above: 1024
+      level: extended
+      name: region
+      normalize: []
+      original_fieldset: cloud
+      short: Region in which this host, resource, or service is located.
+      type: keyword
+    cloud.origin.service.name:
+      dashed_name: cloud-origin-service-name
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      flat_name: cloud.origin.service.name
+      ignore_above: 1024
+      level: extended
+      name: service.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud service name.
+      type: keyword
     cloud.project.id:
       dashed_name: cloud-project-id
       description: 'The cloud project identifier.
@@ -868,14 +1094,199 @@ cloud:
       normalize: []
       short: The cloud service name.
       type: keyword
+    cloud.target.account.id:
+      dashed_name: cloud-target-account-id
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      flat_name: cloud.target.account.id
+      ignore_above: 1024
+      level: extended
+      name: account.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account or organization id.
+      type: keyword
+    cloud.target.account.name:
+      dashed_name: cloud-target-account-name
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      flat_name: cloud.target.account.name
+      ignore_above: 1024
+      level: extended
+      name: account.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account name.
+      type: keyword
+    cloud.target.availability_zone:
+      dashed_name: cloud-target-availability-zone
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      flat_name: cloud.target.availability_zone
+      ignore_above: 1024
+      level: extended
+      name: availability_zone
+      normalize: []
+      original_fieldset: cloud
+      short: Availability zone in which this host, resource, or service is located.
+      type: keyword
+    cloud.target.instance.id:
+      dashed_name: cloud-target-instance-id
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      flat_name: cloud.target.instance.id
+      ignore_above: 1024
+      level: extended
+      name: instance.id
+      normalize: []
+      original_fieldset: cloud
+      short: Instance ID of the host machine.
+      type: keyword
+    cloud.target.instance.name:
+      dashed_name: cloud-target-instance-name
+      description: Instance name of the host machine.
+      flat_name: cloud.target.instance.name
+      ignore_above: 1024
+      level: extended
+      name: instance.name
+      normalize: []
+      original_fieldset: cloud
+      short: Instance name of the host machine.
+      type: keyword
+    cloud.target.machine.type:
+      dashed_name: cloud-target-machine-type
+      description: Machine type of the host machine.
+      example: t2.medium
+      flat_name: cloud.target.machine.type
+      ignore_above: 1024
+      level: extended
+      name: machine.type
+      normalize: []
+      original_fieldset: cloud
+      short: Machine type of the host machine.
+      type: keyword
+    cloud.target.project.id:
+      dashed_name: cloud-target-project-id
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      flat_name: cloud.target.project.id
+      ignore_above: 1024
+      level: extended
+      name: project.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project id.
+      type: keyword
+    cloud.target.project.name:
+      dashed_name: cloud-target-project-name
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      flat_name: cloud.target.project.name
+      ignore_above: 1024
+      level: extended
+      name: project.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project name.
+      type: keyword
+    cloud.target.provider:
+      dashed_name: cloud-target-provider
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      flat_name: cloud.target.provider
+      ignore_above: 1024
+      level: extended
+      name: provider
+      normalize: []
+      original_fieldset: cloud
+      short: Name of the cloud provider.
+      type: keyword
+    cloud.target.region:
+      dashed_name: cloud-target-region
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      flat_name: cloud.target.region
+      ignore_above: 1024
+      level: extended
+      name: region
+      normalize: []
+      original_fieldset: cloud
+      short: Region in which this host, resource, or service is located.
+      type: keyword
+    cloud.target.service.name:
+      dashed_name: cloud-target-service-name
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      flat_name: cloud.target.service.name
+      ignore_above: 1024
+      level: extended
+      name: service.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud service name.
+      type: keyword
   footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from
     its host, the cloud info contains the data about this machine. If Metricbeat runs
     on a remote machine outside the cloud and fetches data from a service running
     in the cloud, the field contains cloud data from the machine the service is running
-    on.'
+    on.
+
+    The cloud fields may be self-nested under cloud.origin.* and cloud.target.*  to
+    describe origin or target service''s cloud information in the context of  incoming
+    or outgoing requests, respectively. However, the fieldsets  cloud.origin.* and
+    cloud.target.* must not be confused with the root cloud  fieldset that is used
+    to describe the cloud context of the actual service  under observation. The fieldset
+    cloud.origin.* may only be used in the  context of incoming requests or events
+    to provide the originating service''s  cloud information. The fieldset cloud.target.*
+    may only be used in the  context of outgoing requests or events to describe the
+    target service''s  cloud information.'
   group: 2
   name: cloud
+  nestings:
+  - cloud.origin
+  - cloud.target
   prefix: cloud.
+  reusable:
+    expected:
+    - as: origin
+      at: cloud
+      beta: Reusing the `cloud` fields in this location is currently considered beta.
+      full: cloud.origin
+      short_override: Provides the cloud information of the origin entity in case
+        of an incoming request or event.
+    - as: target
+      at: cloud
+      beta: Reusing the `cloud` fields in this location is currently considered beta.
+      full: cloud.target
+      short_override: Provides the cloud information of the target entity in case
+        of an outgoing request or event.
+    top_level: true
+  reused_here:
+  - beta: Reusing the `cloud` fields in this location is currently considered beta.
+    full: cloud.origin
+    schema_name: cloud
+    short: Provides the cloud information of the origin entity in case of an incoming
+      request or event.
+  - beta: Reusing the `cloud` fields in this location is currently considered beta.
+    full: cloud.target
+    schema_name: cloud
+    short: Provides the cloud information of the target entity in case of an outgoing
+      request or event.
   short: Fields about the cloud resource.
   title: Cloud
   type: group
@@ -2393,15 +2804,15 @@ dll:
   - dll.pe
   prefix: dll.
   reused_here:
-  - full: dll.code_signature
-    schema_name: code_signature
-    short: These fields contain information about binary code signatures.
   - full: dll.hash
     schema_name: hash
     short: Hashes, usually file hashes.
   - full: dll.pe
     schema_name: pe
     short: These fields contain Windows Portable Executable (PE) metadata.
+  - full: dll.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
   short: These fields contain information about code libraries dynamically loaded
     into processes.
   title: DLL
@@ -4182,18 +4593,81 @@ event:
   short: Fields breaking down the event details.
   title: Event
   type: group
-file:
-  description: 'A file is defined as a set of information that has been created on,
-    or has existed on a filesystem.
-
-    File objects can be associated with host events, network events, and/or file events
-    (e.g., those produced by File Integrity Monitoring [FIM] products or services).
-    File fields provide details about the affected file associated with the event
-    or metric.'
+faas:
+  beta: These fields are in beta and are subject to change.
+  description: The user fields describe information about the function as a service
+    that is relevant to the event.
   fields:
-    file.accessed:
-      dashed_name: file-accessed
-      description: 'Last time the file was accessed.
+    faas.coldstart:
+      dashed_name: faas-coldstart
+      description: Boolean value indicating a cold start of a function.
+      flat_name: faas.coldstart
+      level: extended
+      name: coldstart
+      normalize: []
+      short: Boolean value indicating a cold start of a function.
+      type: boolean
+    faas.execution:
+      dashed_name: faas-execution
+      description: The execution ID of the current function execution.
+      example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+      flat_name: faas.execution
+      ignore_above: 1024
+      level: extended
+      name: execution
+      normalize: []
+      short: The execution ID of the current function execution.
+      type: keyword
+    faas.trigger:
+      dashed_name: faas-trigger
+      description: Details about the function trigger.
+      flat_name: faas.trigger
+      level: extended
+      name: trigger
+      normalize: []
+      short: Details about the function trigger.
+      type: nested
+    faas.trigger.request_id:
+      dashed_name: faas-trigger-request-id
+      description: The ID of the trigger request , message, event, etc.
+      example: 123456789
+      flat_name: faas.trigger.request_id
+      ignore_above: 1024
+      level: extended
+      name: trigger.request_id
+      normalize: []
+      short: The ID of the trigger request , message, event, etc.
+      type: keyword
+    faas.trigger.type:
+      dashed_name: faas-trigger-type
+      description: "The trigger for the function execution.\nExpected values are:\n\
+        \  * http\n  * pubsub\n  * datasource\n  * timer\n  * other"
+      example: http
+      flat_name: faas.trigger.type
+      ignore_above: 1024
+      level: extended
+      name: trigger.type
+      normalize: []
+      short: The trigger for the function execution.
+      type: keyword
+  group: 2
+  name: faas
+  prefix: faas.
+  short: Fields describing functions as a service.
+  title: FaaS
+  type: group
+file:
+  description: 'A file is defined as a set of information that has been created on,
+    or has existed on a filesystem.
+
+    File objects can be associated with host events, network events, and/or file events
+    (e.g., those produced by File Integrity Monitoring [FIM] products or services).
+    File fields provide details about the affected file associated with the event
+    or metric.'
+  fields:
+    file.accessed:
+      dashed_name: file-accessed
+      description: 'Last time the file was accessed.
 
         Note that not all filesystems keep track of access time.'
       flat_name: file.accessed
@@ -5761,13 +6235,6 @@ file:
       full: threat.enrichments.indicator.file
     top_level: true
   reused_here:
-  - full: file.code_signature
-    schema_name: code_signature
-    short: These fields contain information about binary code signatures.
-  - beta: This field reuse is beta and subject to change.
-    full: file.elf
-    schema_name: elf
-    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
   - full: file.hash
     schema_name: hash
     short: Hashes, usually file hashes.
@@ -5777,6 +6244,13 @@ file:
   - full: file.x509
     schema_name: x509
     short: These fields contain x509 certificate metadata.
+  - full: file.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
+  - beta: This field reuse is beta and subject to change.
+    full: file.elf
+    schema_name: elf
+    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
   short: Fields describing files.
   title: File
   type: group
@@ -6074,13 +6548,6 @@ hash:
     - as: hash
       at: dll
       full: dll.hash
-    - as: hash
-      at: threat.indicator
-      full: threat.indicator.hash
-    - as: hash
-      at: threat.enrichments.indicator
-      beta: Reusing the `hash` fields in this location is currently considered beta.
-      full: threat.enrichments.indicator.hash
     top_level: false
   short: Hashes, usually file hashes.
   title: Hash
@@ -6959,14 +7426,15 @@ network:
   fields:
     network.application:
       dashed_name: network-application
-      description: 'A name given to an application level protocol. This can be arbitrarily
-        assigned for things like microservices, but also apply to things like skype,
-        icq, facebook, twitter. This would be used in situations where the vendor
-        or service can be decoded such as from the source/dest IP owners, ports, or
-        wire format.
-
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+      description: 'When a specific application or service is identified from network
+        connection details (source/dest IPs, ports, certificates, or wire format),
+        this field captures the application''s or service''s name.
+
+        For example, the original event identifies the network connection being from
+        a specific web service in a `https` network connection, like `facebook` or
+        `twitter`.
+
+        The field value must be normalized to lowercase for querying.'
       example: aim
       flat_name: network.application
       ignore_above: 1024
@@ -7112,25 +7580,24 @@ network:
       type: long
     network.protocol:
       dashed_name: network-protocol
-      description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+      description: 'In the OSI Model this would be the Application Layer protocol.
+        For example, `http`, `dns`, or `ssh`.
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: http
       flat_name: network.protocol
       ignore_above: 1024
       level: core
       name: protocol
       normalize: []
-      short: L7 Network protocol name.
+      short: Application protocol name.
       type: keyword
     network.transport:
       dashed_name: network-transport
       description: 'Same as network.iana_number, but instead using the Keyword name
         of the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: tcp
       flat_name: network.transport
       ignore_above: 1024
@@ -7144,8 +7611,7 @@ network:
       description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
         ipsec, pim, etc
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: ipv4
       flat_name: network.type
       ignore_above: 1024
@@ -8624,13 +9090,6 @@ pe:
     - as: pe
       at: process
       full: process.pe
-    - as: pe
-      at: threat.indicator
-      full: threat.indicator.pe
-    - as: pe
-      at: threat.enrichments.indicator
-      beta: Reusing the `pe` fields in this location is currently considered beta.
-      full: threat.enrichments.indicator.pe
     top_level: false
   short: These fields contain Windows Portable Executable (PE) metadata.
   title: PE Header
@@ -10389,18 +10848,6 @@ process:
       original_fieldset: process
       short: Process id.
       type: long
-    process.parent.ppid:
-      dashed_name: process-parent-ppid
-      description: Parent process' pid.
-      example: 4241
-      flat_name: process.parent.ppid
-      format: string
-      level: extended
-      name: ppid
-      normalize: []
-      original_fieldset: process
-      short: Parent process' pid.
-      type: long
     process.parent.start:
       dashed_name: process-parent-start
       description: The time the process started.
@@ -10962,17 +11409,6 @@ process:
       normalize: []
       short: Process id.
       type: long
-    process.ppid:
-      dashed_name: process-ppid
-      description: Parent process' pid.
-      example: 4241
-      flat_name: process.ppid
-      format: string
-      level: extended
-      name: ppid
-      normalize: []
-      short: Parent process' pid.
-      type: long
     process.start:
       dashed_name: process-start
       description: The time the process started.
@@ -10983,2598 +11419,162 @@ process:
       normalize: []
       short: The time the process started.
       type: date
-    process.target.args:
-      dashed_name: process-target-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.target.args
+    process.thread.id:
+      dashed_name: process-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      short: Thread ID.
+      type: long
+    process.thread.name:
+      dashed_name: process-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.thread.name
       ignore_above: 1024
       level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
+      name: thread.name
+      normalize: []
+      short: Thread name.
       type: keyword
-    process.target.args_count:
-      dashed_name: process-target-args-count
-      description: 'Length of the process.args array.
+    process.title:
+      dashed_name: process-title
+      description: 'Process title.
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.target.args_count
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.title
+      ignore_above: 1024
       level: extended
-      name: args_count
+      multi_fields:
+      - flat_name: process.title.text
+        name: text
+        type: match_only_text
+      name: title
       normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
+      short: Process title.
+      type: keyword
+    process.uptime:
+      dashed_name: process-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      short: Seconds the process has been up.
       type: long
-    process.target.code_signature.digest_algorithm:
-      dashed_name: process-target-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.target.code_signature.digest_algorithm
+    process.working_directory:
+      dashed_name: process-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.working_directory
       ignore_above: 1024
       level: extended
-      name: digest_algorithm
+      multi_fields:
+      - flat_name: process.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
       normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
+      short: The working directory of the process.
       type: keyword
-    process.target.code_signature.exists:
-      dashed_name: process-target-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.target.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.target.code_signature.signing_id:
-      dashed_name: process-target-code-signature-signing-id
-      description: 'The identifier used to sign the process.
+  group: 2
+  name: process
+  nestings:
+  - process.code_signature
+  - process.elf
+  - process.hash
+  - process.parent
+  - process.pe
+  prefix: process.
+  reusable:
+    expected:
+    - as: parent
+      at: process
+      full: process.parent
+      short_override: Information about the parent process.
+    top_level: true
+  reused_here:
+  - full: process.hash
+    schema_name: hash
+    short: Hashes, usually file hashes.
+  - full: process.pe
+    schema_name: pe
+    short: These fields contain Windows Portable Executable (PE) metadata.
+  - full: process.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
+  - beta: This field reuse is beta and subject to change.
+    full: process.elf
+    schema_name: elf
+    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
+  - full: process.parent
+    schema_name: process
+    short: Information about the parent process.
+  short: These fields contain information about a process.
+  title: Process
+  type: group
+registry:
+  description: Fields related to Windows Registry operations.
+  fields:
+    registry.data.bytes:
+      dashed_name: registry-data-bytes
+      description: 'Original bytes written with base64 encoding.
 
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.target.code_signature.signing_id
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      flat_name: registry.data.bytes
       ignore_above: 1024
       level: extended
-      name: signing_id
+      name: data.bytes
       normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
+      short: Original bytes written with base64 encoding.
       type: keyword
-    process.target.code_signature.status:
-      dashed_name: process-target-code-signature-status
-      description: 'Additional information about the certificate status.
+    registry.data.strings:
+      dashed_name: registry-data-strings
+      description: 'Content when writing string types.
 
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.target.code_signature.status
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      flat_name: registry.data.strings
+      level: core
+      name: data.strings
+      normalize:
+      - array
+      short: List of strings representing what was written to the registry.
+      type: wildcard
+    registry.data.type:
+      dashed_name: registry-data-type
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+      flat_name: registry.data.type
       ignore_above: 1024
-      level: extended
-      name: status
+      level: core
+      name: data.type
       normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
+      short: Standard registry type for encoding contents
       type: keyword
-    process.target.code_signature.subject_name:
-      dashed_name: process-target-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.target.code_signature.subject_name
+    registry.hive:
+      dashed_name: registry-hive
+      description: Abbreviated name for the hive.
+      example: HKLM
+      flat_name: registry.hive
       ignore_above: 1024
       level: core
-      name: subject_name
+      name: hive
       normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.target.code_signature.team_id:
-      dashed_name: process-target-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.target.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.target.code_signature.timestamp:
-      dashed_name: process-target-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.target.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.target.code_signature.trusted:
-      dashed_name: process-target-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.target.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.target.code_signature.valid:
-      dashed_name: process-target-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.target.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.target.command_line:
-      dashed_name: process-target-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.target.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.target.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.target.elf.architecture:
-      dashed_name: process-target-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.target.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.target.elf.byte_order:
-      dashed_name: process-target-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.target.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.target.elf.cpu_type:
-      dashed_name: process-target-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.target.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.target.elf.creation_date:
-      dashed_name: process-target-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.target.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.target.elf.exports:
-      dashed_name: process-target-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.target.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.target.elf.header.abi_version:
-      dashed_name: process-target-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.target.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.target.elf.header.class:
-      dashed_name: process-target-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.target.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.target.elf.header.data:
-      dashed_name: process-target-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.target.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.target.elf.header.entrypoint:
-      dashed_name: process-target-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.target.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.target.elf.header.object_version:
-      dashed_name: process-target-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.target.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.target.elf.header.os_abi:
-      dashed_name: process-target-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.target.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.target.elf.header.type:
-      dashed_name: process-target-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.target.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.target.elf.header.version:
-      dashed_name: process-target-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.target.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.target.elf.imports:
-      dashed_name: process-target-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.target.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.target.elf.sections:
-      dashed_name: process-target-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.target.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.target.elf.sections.chi2:
-      dashed_name: process-target-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.target.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.target.elf.sections.entropy:
-      dashed_name: process-target-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.target.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.target.elf.sections.flags:
-      dashed_name: process-target-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.target.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.target.elf.sections.name:
-      dashed_name: process-target-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.target.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.target.elf.sections.physical_offset:
-      dashed_name: process-target-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.target.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.target.elf.sections.physical_size:
-      dashed_name: process-target-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.target.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.target.elf.sections.type:
-      dashed_name: process-target-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.target.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.target.elf.sections.virtual_address:
-      dashed_name: process-target-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.target.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.target.elf.sections.virtual_size:
-      dashed_name: process-target-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.target.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.target.elf.segments:
-      dashed_name: process-target-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.target.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.target.elf.segments.sections:
-      dashed_name: process-target-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.target.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.target.elf.segments.type:
-      dashed_name: process-target-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.target.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.target.elf.shared_libraries:
-      dashed_name: process-target-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.target.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.target.elf.telfhash:
-      dashed_name: process-target-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.target.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.target.end:
-      dashed_name: process-target-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.target.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.target.entity_id:
-      dashed_name: process-target-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.target.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.target.executable:
-      dashed_name: process-target-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.target.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.target.exit_code:
-      dashed_name: process-target-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.target.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.target.hash.md5:
-      dashed_name: process-target-hash-md5
-      description: MD5 hash.
-      flat_name: process.target.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.target.hash.sha1:
-      dashed_name: process-target-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.target.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.target.hash.sha256:
-      dashed_name: process-target-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.target.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.target.hash.sha512:
-      dashed_name: process-target-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.target.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.target.hash.ssdeep:
-      dashed_name: process-target-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.target.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.target.name:
-      dashed_name: process-target-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.target.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.target.parent.args:
-      dashed_name: process-target-parent-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.target.parent.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.target.parent.args_count:
-      dashed_name: process-target-parent-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.target.parent.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.target.parent.code_signature.digest_algorithm:
-      dashed_name: process-target-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.target.parent.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.target.parent.code_signature.exists:
-      dashed_name: process-target-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.target.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.target.parent.code_signature.signing_id:
-      dashed_name: process-target-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.target.parent.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.target.parent.code_signature.status:
-      dashed_name: process-target-parent-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.target.parent.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.target.parent.code_signature.subject_name:
-      dashed_name: process-target-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.target.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.target.parent.code_signature.team_id:
-      dashed_name: process-target-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.target.parent.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.target.parent.code_signature.timestamp:
-      dashed_name: process-target-parent-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.target.parent.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.target.parent.code_signature.trusted:
-      dashed_name: process-target-parent-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.target.parent.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.target.parent.code_signature.valid:
-      dashed_name: process-target-parent-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.target.parent.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.target.parent.command_line:
-      dashed_name: process-target-parent-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.target.parent.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.target.parent.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.target.parent.elf.architecture:
-      dashed_name: process-target-parent-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.target.parent.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.target.parent.elf.byte_order:
-      dashed_name: process-target-parent-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.target.parent.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.target.parent.elf.cpu_type:
-      dashed_name: process-target-parent-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.target.parent.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.target.parent.elf.creation_date:
-      dashed_name: process-target-parent-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.target.parent.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.target.parent.elf.exports:
-      dashed_name: process-target-parent-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.target.parent.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.target.parent.elf.header.abi_version:
-      dashed_name: process-target-parent-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.target.parent.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.target.parent.elf.header.class:
-      dashed_name: process-target-parent-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.target.parent.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.target.parent.elf.header.data:
-      dashed_name: process-target-parent-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.target.parent.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.target.parent.elf.header.entrypoint:
-      dashed_name: process-target-parent-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.target.parent.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.target.parent.elf.header.object_version:
-      dashed_name: process-target-parent-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.target.parent.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.target.parent.elf.header.os_abi:
-      dashed_name: process-target-parent-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.target.parent.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.target.parent.elf.header.type:
-      dashed_name: process-target-parent-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.target.parent.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.target.parent.elf.header.version:
-      dashed_name: process-target-parent-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.target.parent.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.target.parent.elf.imports:
-      dashed_name: process-target-parent-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.target.parent.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.target.parent.elf.sections:
-      dashed_name: process-target-parent-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.target.parent.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.target.parent.elf.sections.chi2:
-      dashed_name: process-target-parent-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.target.parent.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.target.parent.elf.sections.entropy:
-      dashed_name: process-target-parent-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.target.parent.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.target.parent.elf.sections.flags:
-      dashed_name: process-target-parent-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.target.parent.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.target.parent.elf.sections.name:
-      dashed_name: process-target-parent-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.target.parent.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.target.parent.elf.sections.physical_offset:
-      dashed_name: process-target-parent-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.target.parent.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.target.parent.elf.sections.physical_size:
-      dashed_name: process-target-parent-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.target.parent.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.target.parent.elf.sections.type:
-      dashed_name: process-target-parent-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.target.parent.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.target.parent.elf.sections.virtual_address:
-      dashed_name: process-target-parent-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.target.parent.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.target.parent.elf.sections.virtual_size:
-      dashed_name: process-target-parent-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.target.parent.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.target.parent.elf.segments:
-      dashed_name: process-target-parent-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.target.parent.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.target.parent.elf.segments.sections:
-      dashed_name: process-target-parent-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.target.parent.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.target.parent.elf.segments.type:
-      dashed_name: process-target-parent-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.target.parent.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.target.parent.elf.shared_libraries:
-      dashed_name: process-target-parent-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.target.parent.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.target.parent.elf.telfhash:
-      dashed_name: process-target-parent-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.target.parent.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.target.parent.end:
-      dashed_name: process-target-parent-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.target.parent.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.target.parent.entity_id:
-      dashed_name: process-target-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.target.parent.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.target.parent.executable:
-      dashed_name: process-target-parent-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.target.parent.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.parent.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.target.parent.exit_code:
-      dashed_name: process-target-parent-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.target.parent.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.target.parent.hash.md5:
-      dashed_name: process-target-parent-hash-md5
-      description: MD5 hash.
-      flat_name: process.target.parent.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.target.parent.hash.sha1:
-      dashed_name: process-target-parent-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.target.parent.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.target.parent.hash.sha256:
-      dashed_name: process-target-parent-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.target.parent.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.target.parent.hash.sha512:
-      dashed_name: process-target-parent-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.target.parent.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.target.parent.hash.ssdeep:
-      dashed_name: process-target-parent-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.target.parent.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.target.parent.name:
-      dashed_name: process-target-parent-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.target.parent.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.parent.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.target.parent.pe.architecture:
-      dashed_name: process-target-parent-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.target.parent.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.target.parent.pe.authentihash:
-      dashed_name: process-target-parent-pe-authentihash
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-      flat_name: process.target.parent.pe.authentihash
-      ignore_above: 1024
-      level: extended
-      name: authentihash
-      normalize: []
-      original_fieldset: pe
-      short: Authentihash of the PE file.
-      type: keyword
-    process.target.parent.pe.company:
-      dashed_name: process-target-parent-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.target.parent.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.target.parent.pe.compile_timestamp:
-      dashed_name: process-target-parent-pe-compile-timestamp
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: process.target.parent.pe.compile_timestamp
-      level: extended
-      name: compile_timestamp
-      normalize: []
-      original_fieldset: pe
-      short: Compile timestamp of the PE file.
-      type: date
-    process.target.parent.pe.compiler.name:
-      dashed_name: process-target-parent-pe-compiler-name
-      description: Name of the compiler
-      example: Clang
-      flat_name: process.target.parent.pe.compiler.name
-      ignore_above: 1024
-      level: extended
-      name: compiler.name
-      normalize: []
-      original_fieldset: pe
-      short: Name of the compiler
-      type: keyword
-    process.target.parent.pe.compiler.version:
-      dashed_name: process-target-parent-pe-compiler-version
-      description: Version of the compiler.
-      example: 11.0.0
-      flat_name: process.target.parent.pe.compiler.version
-      ignore_above: 1024
-      level: extended
-      name: compiler.version
-      normalize: []
-      original_fieldset: pe
-      short: Version of the compiler.
-      type: keyword
-    process.target.parent.pe.creation_date:
-      dashed_name: process-target-parent-pe-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: process.target.parent.pe.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: pe
-      short: Build or compile date.
-      type: date
-    process.target.parent.pe.debug:
-      dashed_name: process-target-parent-pe-debug
-      description: 'An array containing an object for each debug entry, if present.
-
-        The expected fields for this nested object fall under the `debug.` prefix.'
-      flat_name: process.target.parent.pe.debug
-      level: extended
-      name: debug
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Debug information
-      type: nested
-    process.target.parent.pe.debug.offset:
-      dashed_name: process-target-parent-pe-debug-offset
-      description: Debug offset information.
-      example: 1296336
-      flat_name: process.target.parent.pe.debug.offset
-      ignore_above: 1024
-      level: extended
-      name: debug.offset
-      normalize: []
-      original_fieldset: pe
-      short: Debug offset information.
-      type: keyword
-    process.target.parent.pe.debug.size:
-      dashed_name: process-target-parent-pe-debug-size
-      description: Size of the debug information.
-      example: 816
-      flat_name: process.target.parent.pe.debug.size
-      format: bytes
-      level: extended
-      name: debug.size
-      normalize: []
-      original_fieldset: pe
-      short: Size of the debug information.
-      type: long
-    process.target.parent.pe.debug.timestamp:
-      dashed_name: process-target-parent-pe-debug-timestamp
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: process.target.parent.pe.debug.timestamp
-      level: extended
-      name: debug.timestamp
-      normalize: []
-      original_fieldset: pe
-      short: Timestamp of the debug information.
-      type: date
-    process.target.parent.pe.debug.type:
-      dashed_name: process-target-parent-pe-debug-type
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
-      flat_name: process.target.parent.pe.debug.type
-      ignore_above: 1024
-      level: extended
-      name: debug.type
-      normalize: []
-      original_fieldset: pe
-      short: Information type generated by the debug options.
-      type: keyword
-    process.target.parent.pe.description:
-      dashed_name: process-target-parent-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.target.parent.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.target.parent.pe.entry_point:
-      dashed_name: process-target-parent-pe-entry-point
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
-      flat_name: process.target.parent.pe.entry_point
-      ignore_above: 1024
-      level: extended
-      name: entry_point
-      normalize: []
-      original_fieldset: pe
-      short: Relative byte offset to the base of the PE file.
-      type: keyword
-    process.target.parent.pe.exports:
-      dashed_name: process-target-parent-pe-exports
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-      flat_name: process.target.parent.pe.exports
-      ignore_above: 1024
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of symbols exported by PE
-      type: keyword
-    process.target.parent.pe.file_version:
-      dashed_name: process-target-parent-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.target.parent.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.target.parent.pe.icon.hash.dhash:
-      dashed_name: process-target-parent-pe-icon-hash-dhash
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
-      flat_name: process.target.parent.pe.icon.hash.dhash
-      ignore_above: 1024
-      level: extended
-      name: icon.hash.dhash
-      normalize: []
-      original_fieldset: pe
-      short: Difference Hash (dhash) to find files with a visually similar icon or
-        thumbnail.
-      type: keyword
-    process.target.parent.pe.imphash:
-      dashed_name: process-target-parent-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.target.parent.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.target.parent.pe.imports:
-      dashed_name: process-target-parent-pe-imports
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
-      flat_name: process.target.parent.pe.imports
-      level: extended
-      name: imports
-      normalize: []
-      original_fieldset: pe
-      short: List of all imported functions
-      type: flattened
-    process.target.parent.pe.machine_type:
-      dashed_name: process-target-parent-pe-machine-type
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
-      flat_name: process.target.parent.pe.machine_type
-      ignore_above: 1024
-      level: extended
-      name: machine_type
-      normalize: []
-      original_fieldset: pe
-      short: Machine type of the PE file.
-      type: keyword
-    process.target.parent.pe.original_file_name:
-      dashed_name: process-target-parent-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.target.parent.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.target.parent.pe.packers:
-      dashed_name: process-target-parent-pe-packers
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
-      flat_name: process.target.parent.pe.packers
-      ignore_above: 1024
-      level: extended
-      name: packers
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of packers and tools used.
-      type: keyword
-    process.target.parent.pe.product:
-      dashed_name: process-target-parent-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      flat_name: process.target.parent.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.target.parent.pe.resources:
-      dashed_name: process-target-parent-pe-resources
-      description: 'An array containing an object for each PE resource, if present.
-
-        The expected fields for this nested object fall under the `resources.` prefix.'
-      flat_name: process.target.parent.pe.resources
-      level: extended
-      name: resources
-      normalize:
-      - array
-      original_fieldset: pe
-      short: PE resource information
-      type: nested
-    process.target.parent.pe.resources.chi2:
-      dashed_name: process-target-parent-pe-resources-chi2
-      description: Chi-square probability distribution.
-      example: -1
-      flat_name: process.target.parent.pe.resources.chi2
-      level: extended
-      name: resources.chi2
-      normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    process.target.parent.pe.resources.entropy:
-      dashed_name: process-target-parent-pe-resources-entropy
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
-      flat_name: process.target.parent.pe.resources.entropy
-      level: extended
-      name: resources.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the resources section.
-      type: long
-    process.target.parent.pe.resources.filetype:
-      dashed_name: process-target-parent-pe-resources-filetype
-      description: File type of the resources section.
-      example: Data
-      flat_name: process.target.parent.pe.resources.filetype
-      ignore_above: 1024
-      level: extended
-      name: resources.filetype
-      normalize: []
-      original_fieldset: pe
-      short: File type of the resources section.
-      type: keyword
-    process.target.parent.pe.resources.language:
-      dashed_name: process-target-parent-pe-resources-language
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
-      flat_name: process.target.parent.pe.resources.language
-      ignore_above: 1024
-      level: extended
-      name: resources.language
-      normalize: []
-      original_fieldset: pe
-      short: Language identification.
-      type: keyword
-    process.target.parent.pe.resources.sha256:
-      dashed_name: process-target-parent-pe-resources-sha256
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-      flat_name: process.target.parent.pe.resources.sha256
-      ignore_above: 1024
-      level: extended
-      name: resources.sha256
-      normalize: []
-      original_fieldset: pe
-      short: SHA256 hash of resources section.
-      type: keyword
-    process.target.parent.pe.resources.type:
-      dashed_name: process-target-parent-pe-resources-type
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
-      flat_name: process.target.parent.pe.resources.type
-      ignore_above: 1024
-      level: extended
-      name: resources.type
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of resource types.
-      type: keyword
-    process.target.parent.pe.rich_header.hash.md5:
-      dashed_name: process-target-parent-pe-rich-header-hash-md5
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-      flat_name: process.target.parent.pe.rich_header.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: rich_header.hash.md5
-      normalize: []
-      original_fieldset: pe
-      short: MD5 hash of the header for the PE file.
-      type: keyword
-    process.target.parent.pe.sections:
-      dashed_name: process-target-parent-pe-sections
-      description: Data about sections of compiled binary PE
-      flat_name: process.target.parent.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Data about sections of the compiled binary PE
-      type: nested
-    process.target.parent.pe.sections.chi2:
-      dashed_name: process-target-parent-pe-sections-chi2
-      description: Chi-square probability distribution.
-      example: 3027194
-      flat_name: process.target.parent.pe.sections.chi2
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    process.target.parent.pe.sections.entropy:
-      dashed_name: process-target-parent-pe-sections-entropy
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
-      flat_name: process.target.parent.pe.sections.entropy
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the file.
-      type: float
-    process.target.parent.pe.sections.flags:
-      dashed_name: process-target-parent-pe-sections-flags
-      description: Section flags of the file.
-      example: rx
-      flat_name: process.target.parent.pe.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: pe
-      short: Section flags of the file.
-      type: keyword
-    process.target.parent.pe.sections.name:
-      dashed_name: process-target-parent-pe-sections-name
-      description: Section names of the file.
-      example: .text, .data
-      flat_name: process.target.parent.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: Section names of the file.
-      type: keyword
-    process.target.parent.pe.sections.raw_size:
-      dashed_name: process-target-parent-pe-sections-raw-size
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      flat_name: process.target.parent.pe.sections.raw_size
-      format: bytes
-      level: extended
-      name: sections.raw_size
-      normalize: []
-      original_fieldset: pe
-      short: Size of the section or the dize of the initialized data on disk.
-      type: long
-    process.target.parent.pe.sections.virtual_address:
-      dashed_name: process-target-parent-pe-sections-virtual-address
-      description: Virtual address available to the file.
-      example: 8192
-      flat_name: process.target.parent.pe.sections.virtual_address
-      format: bytes
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: pe
-      short: Virtual address available to the file.
-      type: long
-    process.target.parent.pgid:
-      dashed_name: process-target-parent-pgid
-      description: Identifier of the group of processes the process belongs to.
-      flat_name: process.target.parent.pgid
-      format: string
-      level: extended
-      name: pgid
-      normalize: []
-      original_fieldset: process
-      short: Identifier of the group of processes the process belongs to.
-      type: long
-    process.target.parent.pid:
-      dashed_name: process-target-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.target.parent.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.target.parent.ppid:
-      dashed_name: process-target-parent-ppid
-      description: Parent process' pid.
-      example: 4241
-      flat_name: process.target.parent.ppid
-      format: string
-      level: extended
-      name: ppid
-      normalize: []
-      original_fieldset: process
-      short: Parent process' pid.
-      type: long
-    process.target.parent.start:
-      dashed_name: process-target-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.target.parent.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.target.parent.thread.id:
-      dashed_name: process-target-parent-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.target.parent.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.target.parent.thread.name:
-      dashed_name: process-target-parent-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.target.parent.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.target.parent.title:
-      dashed_name: process-target-parent-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.target.parent.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.parent.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.target.parent.uptime:
-      dashed_name: process-target-parent-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.target.parent.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.target.parent.working_directory:
-      dashed_name: process-target-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.target.parent.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.parent.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.target.pe.architecture:
-      dashed_name: process-target-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.target.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.target.pe.authentihash:
-      dashed_name: process-target-pe-authentihash
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-      flat_name: process.target.pe.authentihash
-      ignore_above: 1024
-      level: extended
-      name: authentihash
-      normalize: []
-      original_fieldset: pe
-      short: Authentihash of the PE file.
-      type: keyword
-    process.target.pe.company:
-      dashed_name: process-target-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.target.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.target.pe.compile_timestamp:
-      dashed_name: process-target-pe-compile-timestamp
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: process.target.pe.compile_timestamp
-      level: extended
-      name: compile_timestamp
-      normalize: []
-      original_fieldset: pe
-      short: Compile timestamp of the PE file.
-      type: date
-    process.target.pe.compiler.name:
-      dashed_name: process-target-pe-compiler-name
-      description: Name of the compiler
-      example: Clang
-      flat_name: process.target.pe.compiler.name
-      ignore_above: 1024
-      level: extended
-      name: compiler.name
-      normalize: []
-      original_fieldset: pe
-      short: Name of the compiler
-      type: keyword
-    process.target.pe.compiler.version:
-      dashed_name: process-target-pe-compiler-version
-      description: Version of the compiler.
-      example: 11.0.0
-      flat_name: process.target.pe.compiler.version
-      ignore_above: 1024
-      level: extended
-      name: compiler.version
-      normalize: []
-      original_fieldset: pe
-      short: Version of the compiler.
-      type: keyword
-    process.target.pe.creation_date:
-      dashed_name: process-target-pe-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: process.target.pe.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: pe
-      short: Build or compile date.
-      type: date
-    process.target.pe.debug:
-      dashed_name: process-target-pe-debug
-      description: 'An array containing an object for each debug entry, if present.
-
-        The expected fields for this nested object fall under the `debug.` prefix.'
-      flat_name: process.target.pe.debug
-      level: extended
-      name: debug
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Debug information
-      type: nested
-    process.target.pe.debug.offset:
-      dashed_name: process-target-pe-debug-offset
-      description: Debug offset information.
-      example: 1296336
-      flat_name: process.target.pe.debug.offset
-      ignore_above: 1024
-      level: extended
-      name: debug.offset
-      normalize: []
-      original_fieldset: pe
-      short: Debug offset information.
-      type: keyword
-    process.target.pe.debug.size:
-      dashed_name: process-target-pe-debug-size
-      description: Size of the debug information.
-      example: 816
-      flat_name: process.target.pe.debug.size
-      format: bytes
-      level: extended
-      name: debug.size
-      normalize: []
-      original_fieldset: pe
-      short: Size of the debug information.
-      type: long
-    process.target.pe.debug.timestamp:
-      dashed_name: process-target-pe-debug-timestamp
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: process.target.pe.debug.timestamp
-      level: extended
-      name: debug.timestamp
-      normalize: []
-      original_fieldset: pe
-      short: Timestamp of the debug information.
-      type: date
-    process.target.pe.debug.type:
-      dashed_name: process-target-pe-debug-type
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
-      flat_name: process.target.pe.debug.type
-      ignore_above: 1024
-      level: extended
-      name: debug.type
-      normalize: []
-      original_fieldset: pe
-      short: Information type generated by the debug options.
-      type: keyword
-    process.target.pe.description:
-      dashed_name: process-target-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.target.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.target.pe.entry_point:
-      dashed_name: process-target-pe-entry-point
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
-      flat_name: process.target.pe.entry_point
-      ignore_above: 1024
-      level: extended
-      name: entry_point
-      normalize: []
-      original_fieldset: pe
-      short: Relative byte offset to the base of the PE file.
-      type: keyword
-    process.target.pe.exports:
-      dashed_name: process-target-pe-exports
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-      flat_name: process.target.pe.exports
-      ignore_above: 1024
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of symbols exported by PE
-      type: keyword
-    process.target.pe.file_version:
-      dashed_name: process-target-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.target.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.target.pe.icon.hash.dhash:
-      dashed_name: process-target-pe-icon-hash-dhash
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
-      flat_name: process.target.pe.icon.hash.dhash
-      ignore_above: 1024
-      level: extended
-      name: icon.hash.dhash
-      normalize: []
-      original_fieldset: pe
-      short: Difference Hash (dhash) to find files with a visually similar icon or
-        thumbnail.
-      type: keyword
-    process.target.pe.imphash:
-      dashed_name: process-target-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.target.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.target.pe.imports:
-      dashed_name: process-target-pe-imports
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
-      flat_name: process.target.pe.imports
-      level: extended
-      name: imports
-      normalize: []
-      original_fieldset: pe
-      short: List of all imported functions
-      type: flattened
-    process.target.pe.machine_type:
-      dashed_name: process-target-pe-machine-type
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
-      flat_name: process.target.pe.machine_type
-      ignore_above: 1024
-      level: extended
-      name: machine_type
-      normalize: []
-      original_fieldset: pe
-      short: Machine type of the PE file.
-      type: keyword
-    process.target.pe.original_file_name:
-      dashed_name: process-target-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.target.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.target.pe.packers:
-      dashed_name: process-target-pe-packers
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
-      flat_name: process.target.pe.packers
-      ignore_above: 1024
-      level: extended
-      name: packers
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of packers and tools used.
-      type: keyword
-    process.target.pe.product:
-      dashed_name: process-target-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      flat_name: process.target.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.target.pe.resources:
-      dashed_name: process-target-pe-resources
-      description: 'An array containing an object for each PE resource, if present.
-
-        The expected fields for this nested object fall under the `resources.` prefix.'
-      flat_name: process.target.pe.resources
-      level: extended
-      name: resources
-      normalize:
-      - array
-      original_fieldset: pe
-      short: PE resource information
-      type: nested
-    process.target.pe.resources.chi2:
-      dashed_name: process-target-pe-resources-chi2
-      description: Chi-square probability distribution.
-      example: -1
-      flat_name: process.target.pe.resources.chi2
-      level: extended
-      name: resources.chi2
-      normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    process.target.pe.resources.entropy:
-      dashed_name: process-target-pe-resources-entropy
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
-      flat_name: process.target.pe.resources.entropy
-      level: extended
-      name: resources.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the resources section.
-      type: long
-    process.target.pe.resources.filetype:
-      dashed_name: process-target-pe-resources-filetype
-      description: File type of the resources section.
-      example: Data
-      flat_name: process.target.pe.resources.filetype
-      ignore_above: 1024
-      level: extended
-      name: resources.filetype
-      normalize: []
-      original_fieldset: pe
-      short: File type of the resources section.
-      type: keyword
-    process.target.pe.resources.language:
-      dashed_name: process-target-pe-resources-language
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
-      flat_name: process.target.pe.resources.language
-      ignore_above: 1024
-      level: extended
-      name: resources.language
-      normalize: []
-      original_fieldset: pe
-      short: Language identification.
-      type: keyword
-    process.target.pe.resources.sha256:
-      dashed_name: process-target-pe-resources-sha256
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-      flat_name: process.target.pe.resources.sha256
-      ignore_above: 1024
-      level: extended
-      name: resources.sha256
-      normalize: []
-      original_fieldset: pe
-      short: SHA256 hash of resources section.
-      type: keyword
-    process.target.pe.resources.type:
-      dashed_name: process-target-pe-resources-type
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
-      flat_name: process.target.pe.resources.type
-      ignore_above: 1024
-      level: extended
-      name: resources.type
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of resource types.
-      type: keyword
-    process.target.pe.rich_header.hash.md5:
-      dashed_name: process-target-pe-rich-header-hash-md5
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-      flat_name: process.target.pe.rich_header.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: rich_header.hash.md5
-      normalize: []
-      original_fieldset: pe
-      short: MD5 hash of the header for the PE file.
-      type: keyword
-    process.target.pe.sections:
-      dashed_name: process-target-pe-sections
-      description: Data about sections of compiled binary PE
-      flat_name: process.target.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Data about sections of the compiled binary PE
-      type: nested
-    process.target.pe.sections.chi2:
-      dashed_name: process-target-pe-sections-chi2
-      description: Chi-square probability distribution.
-      example: 3027194
-      flat_name: process.target.pe.sections.chi2
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    process.target.pe.sections.entropy:
-      dashed_name: process-target-pe-sections-entropy
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
-      flat_name: process.target.pe.sections.entropy
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the file.
-      type: float
-    process.target.pe.sections.flags:
-      dashed_name: process-target-pe-sections-flags
-      description: Section flags of the file.
-      example: rx
-      flat_name: process.target.pe.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: pe
-      short: Section flags of the file.
-      type: keyword
-    process.target.pe.sections.name:
-      dashed_name: process-target-pe-sections-name
-      description: Section names of the file.
-      example: .text, .data
-      flat_name: process.target.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: Section names of the file.
-      type: keyword
-    process.target.pe.sections.raw_size:
-      dashed_name: process-target-pe-sections-raw-size
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      flat_name: process.target.pe.sections.raw_size
-      format: bytes
-      level: extended
-      name: sections.raw_size
-      normalize: []
-      original_fieldset: pe
-      short: Size of the section or the dize of the initialized data on disk.
-      type: long
-    process.target.pe.sections.virtual_address:
-      dashed_name: process-target-pe-sections-virtual-address
-      description: Virtual address available to the file.
-      example: 8192
-      flat_name: process.target.pe.sections.virtual_address
-      format: bytes
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: pe
-      short: Virtual address available to the file.
-      type: long
-    process.target.pgid:
-      dashed_name: process-target-pgid
-      description: Identifier of the group of processes the process belongs to.
-      flat_name: process.target.pgid
-      format: string
-      level: extended
-      name: pgid
-      normalize: []
-      original_fieldset: process
-      short: Identifier of the group of processes the process belongs to.
-      type: long
-    process.target.pid:
-      dashed_name: process-target-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.target.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.target.ppid:
-      dashed_name: process-target-ppid
-      description: Parent process' pid.
-      example: 4241
-      flat_name: process.target.ppid
-      format: string
-      level: extended
-      name: ppid
-      normalize: []
-      original_fieldset: process
-      short: Parent process' pid.
-      type: long
-    process.target.start:
-      dashed_name: process-target-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.target.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.target.thread.id:
-      dashed_name: process-target-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.target.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.target.thread.name:
-      dashed_name: process-target-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.target.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.target.title:
-      dashed_name: process-target-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.target.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.target.uptime:
-      dashed_name: process-target-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.target.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.target.working_directory:
-      dashed_name: process-target-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.target.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.target.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.thread.id:
-      dashed_name: process-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      short: Thread ID.
-      type: long
-    process.thread.name:
-      dashed_name: process-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      short: Thread name.
-      type: keyword
-    process.title:
-      dashed_name: process-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      short: Process title.
-      type: keyword
-    process.uptime:
-      dashed_name: process-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      short: Seconds the process has been up.
-      type: long
-    process.working_directory:
-      dashed_name: process-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      short: The working directory of the process.
-      type: keyword
-  group: 2
-  name: process
-  nestings:
-  - process.code_signature
-  - process.elf
-  - process.hash
-  - process.parent
-  - process.pe
-  - process.target
-  - process.target.parent
-  prefix: process.
-  reusable:
-    expected:
-    - as: parent
-      at: process
-      full: process.parent
-      short_override: Information about the parent process.
-    - as: target
-      at: process
-      full: process.target
-    - as: parent
-      at: process.target
-      full: process.target.parent
-    top_level: true
-  reused_here:
-  - full: process.code_signature
-    schema_name: code_signature
-    short: These fields contain information about binary code signatures.
-  - beta: This field reuse is beta and subject to change.
-    full: process.elf
-    schema_name: elf
-    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
-  - full: process.hash
-    schema_name: hash
-    short: Hashes, usually file hashes.
-  - full: process.pe
-    schema_name: pe
-    short: These fields contain Windows Portable Executable (PE) metadata.
-  - full: process.parent
-    schema_name: process
-    short: Information about the parent process.
-  - full: process.target
-    schema_name: process
-    short: These fields contain information about a process.
-  - full: process.target.parent
-    schema_name: process
-    short: These fields contain information about a process.
-  short: These fields contain information about a process.
-  title: Process
-  type: group
-registry:
-  description: Fields related to Windows Registry operations.
-  fields:
-    registry.data.bytes:
-      dashed_name: registry-data-bytes
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      flat_name: registry.data.bytes
-      ignore_above: 1024
-      level: extended
-      name: data.bytes
-      normalize: []
-      short: Original bytes written with base64 encoding.
-      type: keyword
-    registry.data.strings:
-      dashed_name: registry-data-strings
-      description: 'Content when writing string types.
-
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
-      flat_name: registry.data.strings
-      level: core
-      name: data.strings
-      normalize:
-      - array
-      short: List of strings representing what was written to the registry.
-      type: wildcard
-    registry.data.type:
-      dashed_name: registry-data-type
-      description: Standard registry type for encoding contents
-      example: REG_SZ
-      flat_name: registry.data.type
-      ignore_above: 1024
-      level: core
-      name: data.type
-      normalize: []
-      short: Standard registry type for encoding contents
-      type: keyword
-    registry.hive:
-      dashed_name: registry-hive
-      description: Abbreviated name for the hive.
-      example: HKLM
-      flat_name: registry.hive
-      ignore_above: 1024
-      level: core
-      name: hive
-      normalize: []
-      short: Abbreviated name for the hive.
+      short: Abbreviated name for the hive.
       type: keyword
     registry.key:
       dashed_name: registry-key
@@ -14212,168 +12212,436 @@ server:
       original_fieldset: user
       short: User's full name, if available.
       type: keyword
-    server.user.group.domain:
-      dashed_name: server-user-group-domain
-      description: 'Name of the directory the group is a member of.
+    server.user.group.domain:
+      dashed_name: server-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: server.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    server.user.group.id:
+      dashed_name: server-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: server.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    server.user.group.name:
+      dashed_name: server-user-group-name
+      description: Name of the group.
+      flat_name: server.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    server.user.hash:
+      dashed_name: server-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: server.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    server.user.id:
+      dashed_name: server-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: server.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    server.user.name:
+      dashed_name: server-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: server.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: server.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    server.user.roles:
+      dashed_name: server-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: server.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: server
+  nestings:
+  - server.as
+  - server.geo
+  - server.user
+  prefix: server.
+  reused_here:
+  - full: server.as
+    schema_name: as
+    short: Fields describing an Autonomous System (Internet routing prefix).
+  - full: server.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: server.user
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  short: Fields about the server side of a network connection, used with client.
+  title: Server
+  type: group
+service:
+  description: 'The service fields describe the service for or from which the data
+    was collected.
+
+    These fields help you find and correlate logs for a specific service and version.'
+  fields:
+    service.address:
+      dashed_name: service-address
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      flat_name: service.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      short: Address of this service.
+      type: keyword
+    service.environment:
+      beta: This field is beta and subject to change.
+      dashed_name: service-environment
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      flat_name: service.environment
+      ignore_above: 1024
+      level: extended
+      name: environment
+      normalize: []
+      short: Environment of the service.
+      type: keyword
+    service.ephemeral_id:
+      dashed_name: service-ephemeral-id
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      flat_name: service.ephemeral_id
+      ignore_above: 1024
+      level: extended
+      name: ephemeral_id
+      normalize: []
+      short: Ephemeral identifier of this service.
+      type: keyword
+    service.id:
+      dashed_name: service-id
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      flat_name: service.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier of the running service.
+      type: keyword
+    service.name:
+      dashed_name: service-name
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      flat_name: service.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the service.
+      type: keyword
+    service.node.name:
+      dashed_name: service-node-name
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      flat_name: service.node.name
+      ignore_above: 1024
+      level: extended
+      name: node.name
+      normalize: []
+      short: Name of the service node.
+      type: keyword
+    service.origin.address:
+      dashed_name: service-origin-address
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      flat_name: service.origin.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: service
+      short: Address of this service.
+      type: keyword
+    service.origin.environment:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-environment
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      flat_name: service.origin.environment
+      ignore_above: 1024
+      level: extended
+      name: environment
+      normalize: []
+      original_fieldset: service
+      short: Environment of the service.
+      type: keyword
+    service.origin.ephemeral_id:
+      dashed_name: service-origin-ephemeral-id
+      description: 'Ephemeral identifier of this service (if one exists).
 
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: server.user.group.domain
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      flat_name: service.origin.ephemeral_id
       ignore_above: 1024
       level: extended
-      name: domain
+      name: ephemeral_id
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
+      original_fieldset: service
+      short: Ephemeral identifier of this service.
       type: keyword
-    server.user.group.id:
-      dashed_name: server-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: server.user.group.id
+    service.origin.id:
+      dashed_name: service-origin-id
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      flat_name: service.origin.id
       ignore_above: 1024
-      level: extended
+      level: core
       name: id
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: service
+      short: Unique identifier of the running service.
       type: keyword
-    server.user.group.name:
-      dashed_name: server-user-group-name
-      description: Name of the group.
-      flat_name: server.user.group.name
+    service.origin.name:
+      dashed_name: service-origin-name
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      flat_name: service.origin.name
       ignore_above: 1024
-      level: extended
+      level: core
       name: name
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: service
+      short: Name of the service.
       type: keyword
-    server.user.hash:
-      dashed_name: server-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+    service.origin.node.name:
+      dashed_name: service-origin-node-name
+      description: 'Name of a service node.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: server.user.hash
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      flat_name: service.origin.node.name
       ignore_above: 1024
       level: extended
-      name: hash
+      name: node.name
       normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
+      original_fieldset: service
+      short: Name of the service node.
       type: keyword
-    server.user.id:
-      dashed_name: server-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: server.user.id
+    service.origin.state:
+      dashed_name: service-origin-state
+      description: Current state of the service.
+      flat_name: service.origin.state
       ignore_above: 1024
       level: core
-      name: id
+      name: state
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: service
+      short: Current state of the service.
       type: keyword
-    server.user.name:
-      dashed_name: server-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: server.user.name
+    service.origin.type:
+      dashed_name: service-origin-type
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      flat_name: service.origin.type
       ignore_above: 1024
       level: core
-      multi_fields:
-      - flat_name: server.user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      name: type
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: service
+      short: The type of the service.
       type: keyword
-    server.user.roles:
-      dashed_name: server-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: server.user.roles
+    service.origin.version:
+      dashed_name: service-origin-version
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      flat_name: service.origin.version
       ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
+      level: core
+      name: version
+      normalize: []
+      original_fieldset: service
+      short: Version of the service.
       type: keyword
-  group: 2
-  name: server
-  nestings:
-  - server.as
-  - server.geo
-  - server.user
-  prefix: server.
-  reused_here:
-  - full: server.as
-    schema_name: as
-    short: Fields describing an Autonomous System (Internet routing prefix).
-  - full: server.geo
-    schema_name: geo
-    short: Fields describing a location.
-  - full: server.user
-    schema_name: user
-    short: Fields to describe the user relevant to the event.
-  short: Fields about the server side of a network connection, used with client.
-  title: Server
-  type: group
-service:
-  description: 'The service fields describe the service for or from which the data
-    was collected.
-
-    These fields help you find and correlate logs for a specific service and version.'
-  fields:
-    service.address:
-      dashed_name: service-address
+    service.state:
+      dashed_name: service-state
+      description: Current state of the service.
+      flat_name: service.state
+      ignore_above: 1024
+      level: core
+      name: state
+      normalize: []
+      short: Current state of the service.
+      type: keyword
+    service.target.address:
+      dashed_name: service-target-address
       description: 'Address where data about this service was collected from.
 
         This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
         path (sockets).'
       example: 172.26.0.2:5432
-      flat_name: service.address
+      flat_name: service.target.address
       ignore_above: 1024
       level: extended
       name: address
       normalize: []
+      original_fieldset: service
       short: Address of this service.
       type: keyword
-    service.environment:
+    service.target.environment:
       beta: This field is beta and subject to change.
-      dashed_name: service-environment
+      dashed_name: service-target-environment
       description: 'Identifies the environment where the service is running.
 
         If the same service runs in different environments (production, staging, QA,
         development, etc.), the environment can identify other instances of the same
         service. Can also group services and applications from the same environment.'
       example: production
-      flat_name: service.environment
+      flat_name: service.target.environment
       ignore_above: 1024
       level: extended
       name: environment
       normalize: []
+      original_fieldset: service
       short: Environment of the service.
       type: keyword
-    service.ephemeral_id:
-      dashed_name: service-ephemeral-id
+    service.target.ephemeral_id:
+      dashed_name: service-target-ephemeral-id
       description: 'Ephemeral identifier of this service (if one exists).
 
         This id normally changes across restarts, but `service.id` does not.'
       example: 8a4f500f
-      flat_name: service.ephemeral_id
+      flat_name: service.target.ephemeral_id
       ignore_above: 1024
       level: extended
       name: ephemeral_id
       normalize: []
+      original_fieldset: service
       short: Ephemeral identifier of this service.
       type: keyword
-    service.id:
-      dashed_name: service-id
+    service.target.id:
+      dashed_name: service-target-id
       description: 'Unique identifier of the running service. If the service is comprised
         of many nodes, the `service.id` should be the same for all nodes.
 
@@ -14384,15 +12652,16 @@ service:
         Note that if you need to see the events from one specific host of the service,
         you should filter on that `host.name` or `host.id` instead.'
       example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-      flat_name: service.id
+      flat_name: service.target.id
       ignore_above: 1024
       level: core
       name: id
       normalize: []
+      original_fieldset: service
       short: Unique identifier of the running service.
       type: keyword
-    service.name:
-      dashed_name: service-name
+    service.target.name:
+      dashed_name: service-target-name
       description: 'Name of the service data is collected from.
 
         The name of the service is normally user given. This allows for distributed
@@ -14403,15 +12672,16 @@ service:
         name. For Beats the `service.name` is by default a copy of the `service.type`
         field if no name is specified.'
       example: elasticsearch-metrics
-      flat_name: service.name
+      flat_name: service.target.name
       ignore_above: 1024
       level: core
       name: name
       normalize: []
+      original_fieldset: service
       short: Name of the service.
       type: keyword
-    service.node.name:
-      dashed_name: service-node-name
+    service.target.node.name:
+      dashed_name: service-target-node-name
       description: 'Name of a service node.
 
         This allows for two nodes of the same service running on the same host to
@@ -14425,23 +12695,57 @@ service:
         provide uniqueness (e.g. multiple instances of the service running on the
         same host) - the node name can be manually set.'
       example: instance-0000000016
-      flat_name: service.node.name
+      flat_name: service.target.node.name
       ignore_above: 1024
       level: extended
       name: node.name
       normalize: []
+      original_fieldset: service
       short: Name of the service node.
       type: keyword
-    service.state:
-      dashed_name: service-state
+    service.target.state:
+      dashed_name: service-target-state
       description: Current state of the service.
-      flat_name: service.state
+      flat_name: service.target.state
       ignore_above: 1024
       level: core
       name: state
       normalize: []
+      original_fieldset: service
       short: Current state of the service.
       type: keyword
+    service.target.type:
+      dashed_name: service-target-type
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      flat_name: service.target.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      original_fieldset: service
+      short: The type of the service.
+      type: keyword
+    service.target.version:
+      dashed_name: service-target-version
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      flat_name: service.target.version
+      ignore_above: 1024
+      level: core
+      name: version
+      normalize: []
+      original_fieldset: service
+      short: Version of the service.
+      type: keyword
     service.type:
       dashed_name: service-type
       description: 'The type of the service data is collected from.
@@ -14472,9 +12776,46 @@ service:
       normalize: []
       short: Version of the service.
       type: keyword
+  footnote: The service fields may be self-nested under service.origin.* and service.target.*  to
+    describe origin or target services in the context of incoming or outgoing requests,  respectively.
+    However, the fieldsets service.origin.* and service.target.* must not be confused
+    with  the root service fieldset that is used to describe the actual service under
+    observation. The fieldset service.origin.* may only be used in the context of
+    incoming requests or  events to describe the originating service of the request.
+    The fieldset service.target.*  may only be used in the context of outgoing requests
+    or events to describe the target  service of the request.
   group: 2
   name: service
+  nestings:
+  - service.origin
+  - service.target
   prefix: service.
+  reusable:
+    expected:
+    - as: origin
+      at: service
+      beta: Reusing the `service` fields in this location is currently considered
+        beta.
+      full: service.origin
+      short_override: Describes the origin service in case of an incoming request
+        or event.
+    - as: target
+      at: service
+      beta: Reusing the `service` fields in this location is currently considered
+        beta.
+      full: service.target
+      short_override: Describes the target service in case of an outgoing request
+        or event.
+    top_level: true
+  reused_here:
+  - beta: Reusing the `service` fields in this location is currently considered beta.
+    full: service.origin
+    schema_name: service
+    short: Describes the origin service in case of an incoming request or event.
+  - beta: Reusing the `service` fields in this location is currently considered beta.
+    full: service.target
+    schema_name: service
+    short: Describes the target service in case of an outgoing request or event.
   short: Fields describing the service for or from which the data was collected.
   title: Service
   type: group
@@ -14983,7 +13324,8 @@ threat:
       flat_name: threat.enrichments
       level: extended
       name: enrichments
-      normalize: []
+      normalize:
+      - array
       short: List of objects containing indicators enriching the event.
       type: nested
     threat.enrichments.indicator:
@@ -15674,6 +14016,61 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
+    threat.enrichments.indicator.file.hash.md5:
+      dashed_name: threat-enrichments-indicator-file-hash-md5
+      description: MD5 hash.
+      flat_name: threat.enrichments.indicator.file.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.sha1:
+      dashed_name: threat-enrichments-indicator-file-hash-sha1
+      description: SHA1 hash.
+      flat_name: threat.enrichments.indicator.file.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.sha256:
+      dashed_name: threat-enrichments-indicator-file-hash-sha256
+      description: SHA256 hash.
+      flat_name: threat.enrichments.indicator.file.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.sha512:
+      dashed_name: threat-enrichments-indicator-file-hash-sha512
+      description: SHA512 hash.
+      flat_name: threat.enrichments.indicator.file.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.ssdeep:
+      dashed_name: threat-enrichments-indicator-file-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: threat.enrichments.indicator.file.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     threat.enrichments.indicator.file.inode:
       dashed_name: threat-enrichments-indicator-file-inode
       description: Inode representing the file in the filesystem.
@@ -15763,774 +14160,1025 @@ threat:
       original_fieldset: file
       short: Full path to the file, including the file name.
       type: keyword
-    threat.enrichments.indicator.file.size:
-      dashed_name: threat-enrichments-indicator-file-size
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
-      flat_name: threat.enrichments.indicator.file.size
+    threat.enrichments.indicator.file.pe.architecture:
+      dashed_name: threat-enrichments-indicator-file-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: threat.enrichments.indicator.file.pe.architecture
+      ignore_above: 1024
       level: extended
-      name: size
+      name: architecture
       normalize: []
-      original_fieldset: file
-      short: File size in bytes.
-      type: long
-    threat.enrichments.indicator.file.target_path:
-      dashed_name: threat-enrichments-indicator-file-target-path
-      description: Target path for symlinks.
-      flat_name: threat.enrichments.indicator.file.target_path
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.authentihash:
+      dashed_name: threat-enrichments-indicator-file-pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: threat.enrichments.indicator.file.pe.authentihash
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: threat.enrichments.indicator.file.target_path.text
-        name: text
-        type: match_only_text
-      name: target_path
+      name: authentihash
       normalize: []
-      original_fieldset: file
-      short: Target path for symlinks.
+      original_fieldset: pe
+      short: Authentihash of the PE file.
       type: keyword
-    threat.enrichments.indicator.file.type:
-      dashed_name: threat-enrichments-indicator-file-type
-      description: File type (file, dir, or symlink).
-      example: file
-      flat_name: threat.enrichments.indicator.file.type
+    threat.enrichments.indicator.file.pe.company:
+      dashed_name: threat-enrichments-indicator-file-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: threat.enrichments.indicator.file.pe.company
       ignore_above: 1024
       level: extended
-      name: type
+      name: company
       normalize: []
-      original_fieldset: file
-      short: File type (file, dir, or symlink).
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
       type: keyword
-    threat.enrichments.indicator.file.uid:
-      dashed_name: threat-enrichments-indicator-file-uid
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
-      flat_name: threat.enrichments.indicator.file.uid
+    threat.enrichments.indicator.file.pe.compile_timestamp:
+      dashed_name: threat-enrichments-indicator-file-pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.file.pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Compile timestamp of the PE file.
+      type: date
+    threat.enrichments.indicator.file.pe.compiler.name:
+      dashed_name: threat-enrichments-indicator-file-pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: threat.enrichments.indicator.file.pe.compiler.name
       ignore_above: 1024
       level: extended
-      name: uid
+      name: compiler.name
       normalize: []
-      original_fieldset: file
-      short: The user ID (UID) or security identifier (SID) of the file owner.
+      original_fieldset: pe
+      short: Name of the compiler
       type: keyword
-    threat.enrichments.indicator.first_seen:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-first-seen
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
+    threat.enrichments.indicator.file.pe.compiler.version:
+      dashed_name: threat-enrichments-indicator-file-pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: threat.enrichments.indicator.file.pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      original_fieldset: pe
+      short: Version of the compiler.
+      type: keyword
+    threat.enrichments.indicator.file.pe.creation_date:
+      dashed_name: threat-enrichments-indicator-file-pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
       example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.first_seen
+      flat_name: threat.enrichments.indicator.file.pe.creation_date
       level: extended
-      name: enrichments.indicator.first_seen
+      name: creation_date
       normalize: []
-      short: Date/time indicator was first reported.
+      original_fieldset: pe
+      short: Build or compile date.
       type: date
-    threat.enrichments.indicator.geo.city_name:
-      dashed_name: threat-enrichments-indicator-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: threat.enrichments.indicator.geo.city_name
+    threat.enrichments.indicator.file.pe.debug:
+      dashed_name: threat-enrichments-indicator-file-pe-debug
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: threat.enrichments.indicator.file.pe.debug
+      level: extended
+      name: debug
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Debug information
+      type: nested
+    threat.enrichments.indicator.file.pe.debug.offset:
+      dashed_name: threat-enrichments-indicator-file-pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: threat.enrichments.indicator.file.pe.debug.offset
       ignore_above: 1024
-      level: core
-      name: city_name
+      level: extended
+      name: debug.offset
       normalize: []
-      original_fieldset: geo
-      short: City name.
+      original_fieldset: pe
+      short: Debug offset information.
       type: keyword
-    threat.enrichments.indicator.geo.continent_code:
-      dashed_name: threat-enrichments-indicator-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: threat.enrichments.indicator.geo.continent_code
+    threat.enrichments.indicator.file.pe.debug.size:
+      dashed_name: threat-enrichments-indicator-file-pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: threat.enrichments.indicator.file.pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the debug information.
+      type: long
+    threat.enrichments.indicator.file.pe.debug.timestamp:
+      dashed_name: threat-enrichments-indicator-file-pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.file.pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Timestamp of the debug information.
+      type: date
+    threat.enrichments.indicator.file.pe.debug.type:
+      dashed_name: threat-enrichments-indicator-file-pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: threat.enrichments.indicator.file.pe.debug.type
       ignore_above: 1024
-      level: core
-      name: continent_code
+      level: extended
+      name: debug.type
       normalize: []
-      original_fieldset: geo
-      short: Continent code.
+      original_fieldset: pe
+      short: Information type generated by the debug options.
       type: keyword
-    threat.enrichments.indicator.geo.continent_name:
-      dashed_name: threat-enrichments-indicator-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: threat.enrichments.indicator.geo.continent_name
+    threat.enrichments.indicator.file.pe.description:
+      dashed_name: threat-enrichments-indicator-file-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: threat.enrichments.indicator.file.pe.description
       ignore_above: 1024
-      level: core
-      name: continent_name
+      level: extended
+      name: description
       normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
       type: keyword
-    threat.enrichments.indicator.geo.country_iso_code:
-      dashed_name: threat-enrichments-indicator-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: threat.enrichments.indicator.geo.country_iso_code
+    threat.enrichments.indicator.file.pe.entry_point:
+      dashed_name: threat-enrichments-indicator-file-pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: threat.enrichments.indicator.file.pe.entry_point
       ignore_above: 1024
-      level: core
-      name: country_iso_code
+      level: extended
+      name: entry_point
       normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
+      original_fieldset: pe
+      short: Relative byte offset to the base of the PE file.
       type: keyword
-    threat.enrichments.indicator.geo.country_name:
-      dashed_name: threat-enrichments-indicator-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: threat.enrichments.indicator.geo.country_name
+    threat.enrichments.indicator.file.pe.exports:
+      dashed_name: threat-enrichments-indicator-file-pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: threat.enrichments.indicator.file.pe.exports
       ignore_above: 1024
-      level: core
-      name: country_name
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of symbols exported by PE
+      type: keyword
+    threat.enrichments.indicator.file.pe.file_version:
+      dashed_name: threat-enrichments-indicator-file-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: threat.enrichments.indicator.file.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
       normalize: []
-      original_fieldset: geo
-      short: Country name.
+      original_fieldset: pe
+      short: Process name.
       type: keyword
-    threat.enrichments.indicator.geo.location:
-      dashed_name: threat-enrichments-indicator-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: threat.enrichments.indicator.geo.location
-      level: core
-      name: location
+    threat.enrichments.indicator.file.pe.icon.hash.dhash:
+      dashed_name: threat-enrichments-indicator-file-pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: threat.enrichments.indicator.file.pe.icon.hash.dhash
+      ignore_above: 1024
+      level: extended
+      name: icon.hash.dhash
       normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    threat.enrichments.indicator.geo.name:
-      dashed_name: threat-enrichments-indicator-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
+      original_fieldset: pe
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
+    threat.enrichments.indicator.file.pe.imphash:
+      dashed_name: threat-enrichments-indicator-file-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: threat.enrichments.indicator.geo.name
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: threat.enrichments.indicator.file.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.imports:
+      dashed_name: threat-enrichments-indicator-file-pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: threat.enrichments.indicator.file.pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: pe
+      short: List of all imported functions
+      type: flattened
+    threat.enrichments.indicator.file.pe.machine_type:
+      dashed_name: threat-enrichments-indicator-file-pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: threat.enrichments.indicator.file.pe.machine_type
       ignore_above: 1024
       level: extended
-      name: name
+      name: machine_type
       normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
+      original_fieldset: pe
+      short: Machine type of the PE file.
       type: keyword
-    threat.enrichments.indicator.geo.postal_code:
-      dashed_name: threat-enrichments-indicator-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: threat.enrichments.indicator.geo.postal_code
+    threat.enrichments.indicator.file.pe.original_file_name:
+      dashed_name: threat-enrichments-indicator-file-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: threat.enrichments.indicator.file.pe.original_file_name
       ignore_above: 1024
-      level: core
-      name: postal_code
+      level: extended
+      name: original_file_name
       normalize: []
-      original_fieldset: geo
-      short: Postal code.
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
       type: keyword
-    threat.enrichments.indicator.geo.region_iso_code:
-      dashed_name: threat-enrichments-indicator-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: threat.enrichments.indicator.geo.region_iso_code
+    threat.enrichments.indicator.file.pe.packers:
+      dashed_name: threat-enrichments-indicator-file-pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: threat.enrichments.indicator.file.pe.packers
       ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
+      level: extended
+      name: packers
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of packers and tools used.
       type: keyword
-    threat.enrichments.indicator.geo.region_name:
-      dashed_name: threat-enrichments-indicator-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: threat.enrichments.indicator.geo.region_name
+    threat.enrichments.indicator.file.pe.product:
+      dashed_name: threat-enrichments-indicator-file-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: threat.enrichments.indicator.file.pe.product
       ignore_above: 1024
-      level: core
-      name: region_name
+      level: extended
+      name: product
       normalize: []
-      original_fieldset: geo
-      short: Region name.
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
       type: keyword
-    threat.enrichments.indicator.geo.timezone:
-      dashed_name: threat-enrichments-indicator-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: threat.enrichments.indicator.geo.timezone
+    threat.enrichments.indicator.file.pe.resources:
+      dashed_name: threat-enrichments-indicator-file-pe-resources
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: threat.enrichments.indicator.file.pe.resources
+      level: extended
+      name: resources
+      normalize:
+      - array
+      original_fieldset: pe
+      short: PE resource information
+      type: nested
+    threat.enrichments.indicator.file.pe.resources.chi2:
+      dashed_name: threat-enrichments-indicator-file-pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: threat.enrichments.indicator.file.pe.resources.chi2
+      level: extended
+      name: resources.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    threat.enrichments.indicator.file.pe.resources.entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: threat.enrichments.indicator.file.pe.resources.entropy
+      level: extended
+      name: resources.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    threat.enrichments.indicator.file.pe.resources.filetype:
+      dashed_name: threat-enrichments-indicator-file-pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: threat.enrichments.indicator.file.pe.resources.filetype
       ignore_above: 1024
-      level: core
-      name: timezone
+      level: extended
+      name: resources.filetype
       normalize: []
-      original_fieldset: geo
-      short: Time zone.
+      original_fieldset: pe
+      short: File type of the resources section.
       type: keyword
-    threat.enrichments.indicator.hash.md5:
-      dashed_name: threat-enrichments-indicator-hash-md5
-      description: MD5 hash.
-      flat_name: threat.enrichments.indicator.hash.md5
+    threat.enrichments.indicator.file.pe.resources.language:
+      dashed_name: threat-enrichments-indicator-file-pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: threat.enrichments.indicator.file.pe.resources.language
       ignore_above: 1024
       level: extended
-      name: md5
+      name: resources.language
       normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
+      original_fieldset: pe
+      short: Language identification.
       type: keyword
-    threat.enrichments.indicator.hash.sha1:
-      dashed_name: threat-enrichments-indicator-hash-sha1
-      description: SHA1 hash.
-      flat_name: threat.enrichments.indicator.hash.sha1
+    threat.enrichments.indicator.file.pe.resources.sha256:
+      dashed_name: threat-enrichments-indicator-file-pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: threat.enrichments.indicator.file.pe.resources.sha256
       ignore_above: 1024
       level: extended
-      name: sha1
+      name: resources.sha256
       normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
+      original_fieldset: pe
+      short: SHA256 hash of resources section.
       type: keyword
-    threat.enrichments.indicator.hash.sha256:
-      dashed_name: threat-enrichments-indicator-hash-sha256
-      description: SHA256 hash.
-      flat_name: threat.enrichments.indicator.hash.sha256
+    threat.enrichments.indicator.file.pe.resources.type:
+      dashed_name: threat-enrichments-indicator-file-pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: threat.enrichments.indicator.file.pe.resources.type
       ignore_above: 1024
       level: extended
-      name: sha256
+      name: resources.type
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of resource types.
+      type: keyword
+    threat.enrichments.indicator.file.pe.rich_header.hash.md5:
+      dashed_name: threat-enrichments-indicator-file-pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: threat.enrichments.indicator.file.pe.rich_header.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: rich_header.hash.md5
       normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
+      original_fieldset: pe
+      short: MD5 hash of the header for the PE file.
       type: keyword
-    threat.enrichments.indicator.hash.sha512:
-      dashed_name: threat-enrichments-indicator-hash-sha512
-      description: SHA512 hash.
-      flat_name: threat.enrichments.indicator.hash.sha512
+    threat.enrichments.indicator.file.pe.sections:
+      dashed_name: threat-enrichments-indicator-file-pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: threat.enrichments.indicator.file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Data about sections of the compiled binary PE
+      type: nested
+    threat.enrichments.indicator.file.pe.sections.chi2:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: threat.enrichments.indicator.file.pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.entropy:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: threat.enrichments.indicator.file.pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the file.
+      type: float
+    threat.enrichments.indicator.file.pe.sections.flags:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: threat.enrichments.indicator.file.pe.sections.flags
       ignore_above: 1024
       level: extended
-      name: sha512
+      name: sections.flags
       normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
+      original_fieldset: pe
+      short: Section flags of the file.
       type: keyword
-    threat.enrichments.indicator.hash.ssdeep:
-      dashed_name: threat-enrichments-indicator-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: threat.enrichments.indicator.hash.ssdeep
+    threat.enrichments.indicator.file.pe.sections.name:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: threat.enrichments.indicator.file.pe.sections.name
       ignore_above: 1024
       level: extended
-      name: ssdeep
+      name: sections.name
       normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
+      original_fieldset: pe
+      short: Section names of the file.
       type: keyword
-    threat.enrichments.indicator.ip:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
-      flat_name: threat.enrichments.indicator.ip
+    threat.enrichments.indicator.file.pe.sections.raw_size:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: threat.enrichments.indicator.file.pe.sections.raw_size
+      format: bytes
       level: extended
-      name: enrichments.indicator.ip
+      name: sections.raw_size
       normalize: []
-      short: Indicator IP address
-      type: ip
-    threat.enrichments.indicator.last_seen:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-last-seen
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.last_seen
+      original_fieldset: pe
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    threat.enrichments.indicator.file.pe.sections.virtual_address:
+      dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: threat.enrichments.indicator.file.pe.sections.virtual_address
+      format: bytes
       level: extended
-      name: enrichments.indicator.last_seen
+      name: sections.virtual_address
       normalize: []
-      short: Date/time indicator was last reported.
-      type: date
-    threat.enrichments.indicator.marking.tlp:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-marking-tlp
-      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
-        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-      example: White
-      flat_name: threat.enrichments.indicator.marking.tlp
+      original_fieldset: pe
+      short: Virtual address available to the file.
+      type: long
+    threat.enrichments.indicator.file.size:
+      dashed_name: threat-enrichments-indicator-file-size
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      flat_name: threat.enrichments.indicator.file.size
+      level: extended
+      name: size
+      normalize: []
+      original_fieldset: file
+      short: File size in bytes.
+      type: long
+    threat.enrichments.indicator.file.target_path:
+      dashed_name: threat-enrichments-indicator-file-target-path
+      description: Target path for symlinks.
+      flat_name: threat.enrichments.indicator.file.target_path
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp
+      multi_fields:
+      - flat_name: threat.enrichments.indicator.file.target_path.text
+        name: text
+        type: match_only_text
+      name: target_path
       normalize: []
-      short: Indicator TLP marking
+      original_fieldset: file
+      short: Target path for symlinks.
       type: keyword
-    threat.enrichments.indicator.modified_at:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-modified-at
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.modified_at
+    threat.enrichments.indicator.file.type:
+      dashed_name: threat-enrichments-indicator-file-type
+      description: File type (file, dir, or symlink).
+      example: file
+      flat_name: threat.enrichments.indicator.file.type
+      ignore_above: 1024
       level: extended
-      name: enrichments.indicator.modified_at
+      name: type
       normalize: []
-      short: Date/time indicator was last updated.
-      type: date
-    threat.enrichments.indicator.pe.architecture:
-      dashed_name: threat-enrichments-indicator-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: threat.enrichments.indicator.pe.architecture
+      original_fieldset: file
+      short: File type (file, dir, or symlink).
+      type: keyword
+    threat.enrichments.indicator.file.uid:
+      dashed_name: threat-enrichments-indicator-file-uid
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      flat_name: threat.enrichments.indicator.file.uid
       ignore_above: 1024
       level: extended
-      name: architecture
+      name: uid
       normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
+      original_fieldset: file
+      short: The user ID (UID) or security identifier (SID) of the file owner.
       type: keyword
-    threat.enrichments.indicator.pe.authentihash:
-      dashed_name: threat-enrichments-indicator-pe-authentihash
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-      flat_name: threat.enrichments.indicator.pe.authentihash
+    threat.enrichments.indicator.file.x509.alternative_names:
+      dashed_name: threat-enrichments-indicator-file-x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: threat.enrichments.indicator.file.x509.alternative_names
       ignore_above: 1024
       level: extended
-      name: authentihash
-      normalize: []
-      original_fieldset: pe
-      short: Authentihash of the PE file.
+      name: alternative_names
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of subject alternative names (SAN).
       type: keyword
-    threat.enrichments.indicator.pe.company:
-      dashed_name: threat-enrichments-indicator-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: threat.enrichments.indicator.pe.company
+    threat.enrichments.indicator.file.x509.issuer.common_name:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: threat.enrichments.indicator.file.x509.issuer.common_name
       ignore_above: 1024
       level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
+      name: issuer.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common name (CN) of issuing certificate authority.
       type: keyword
-    threat.enrichments.indicator.pe.compile_timestamp:
-      dashed_name: threat-enrichments-indicator-pe-compile-timestamp
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.pe.compile_timestamp
+    threat.enrichments.indicator.file.x509.issuer.country:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: threat.enrichments.indicator.file.x509.issuer.country
+      ignore_above: 1024
       level: extended
-      name: compile_timestamp
-      normalize: []
-      original_fieldset: pe
-      short: Compile timestamp of the PE file.
-      type: date
-    threat.enrichments.indicator.pe.compiler.name:
-      dashed_name: threat-enrichments-indicator-pe-compiler-name
-      description: Name of the compiler
-      example: Clang
-      flat_name: threat.enrichments.indicator.pe.compiler.name
+      name: issuer.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) codes
+      type: keyword
+    threat.enrichments.indicator.file.x509.issuer.distinguished_name:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: threat.enrichments.indicator.file.x509.issuer.distinguished_name
       ignore_above: 1024
       level: extended
-      name: compiler.name
+      name: issuer.distinguished_name
       normalize: []
-      original_fieldset: pe
-      short: Name of the compiler
+      original_fieldset: x509
+      short: Distinguished name (DN) of issuing certificate authority.
       type: keyword
-    threat.enrichments.indicator.pe.compiler.version:
-      dashed_name: threat-enrichments-indicator-pe-compiler-version
-      description: Version of the compiler.
-      example: 11.0.0
-      flat_name: threat.enrichments.indicator.pe.compiler.version
+    threat.enrichments.indicator.file.x509.issuer.locality:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: threat.enrichments.indicator.file.x509.issuer.locality
       ignore_above: 1024
       level: extended
-      name: compiler.version
-      normalize: []
-      original_fieldset: pe
-      short: Version of the compiler.
+      name: issuer.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
       type: keyword
-    threat.enrichments.indicator.pe.creation_date:
-      dashed_name: threat-enrichments-indicator-pe-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.pe.creation_date
+    threat.enrichments.indicator.file.x509.issuer.organization:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: threat.enrichments.indicator.file.x509.issuer.organization
+      ignore_above: 1024
       level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: pe
-      short: Build or compile date.
-      type: date
-    threat.enrichments.indicator.pe.debug:
-      dashed_name: threat-enrichments-indicator-pe-debug
-      description: 'An array containing an object for each debug entry, if present.
-
-        The expected fields for this nested object fall under the `debug.` prefix.'
-      flat_name: threat.enrichments.indicator.pe.debug
+      name: issuer.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of issuing certificate authority.
+      type: keyword
+    threat.enrichments.indicator.file.x509.issuer.organizational_unit:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: threat.enrichments.indicator.file.x509.issuer.organizational_unit
+      ignore_above: 1024
       level: extended
-      name: debug
+      name: issuer.organizational_unit
       normalize:
       - array
-      original_fieldset: pe
-      short: Debug information
-      type: nested
-    threat.enrichments.indicator.pe.debug.offset:
-      dashed_name: threat-enrichments-indicator-pe-debug-offset
-      description: Debug offset information.
-      example: 1296336
-      flat_name: threat.enrichments.indicator.pe.debug.offset
+      original_fieldset: x509
+      short: List of organizational units (OU) of issuing certificate authority.
+      type: keyword
+    threat.enrichments.indicator.file.x509.issuer.state_or_province:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.enrichments.indicator.file.x509.issuer.state_or_province
       ignore_above: 1024
       level: extended
-      name: debug.offset
-      normalize: []
-      original_fieldset: pe
-      short: Debug offset information.
+      name: issuer.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
       type: keyword
-    threat.enrichments.indicator.pe.debug.size:
-      dashed_name: threat-enrichments-indicator-pe-debug-size
-      description: Size of the debug information.
-      example: 816
-      flat_name: threat.enrichments.indicator.pe.debug.size
-      format: bytes
+    threat.enrichments.indicator.file.x509.not_after:
+      dashed_name: threat-enrichments-indicator-file-x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: threat.enrichments.indicator.file.x509.not_after
       level: extended
-      name: debug.size
+      name: not_after
       normalize: []
-      original_fieldset: pe
-      short: Size of the debug information.
-      type: long
-    threat.enrichments.indicator.pe.debug.timestamp:
-      dashed_name: threat-enrichments-indicator-pe-debug-timestamp
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.pe.debug.timestamp
+      original_fieldset: x509
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    threat.enrichments.indicator.file.x509.not_before:
+      dashed_name: threat-enrichments-indicator-file-x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: threat.enrichments.indicator.file.x509.not_before
       level: extended
-      name: debug.timestamp
+      name: not_before
       normalize: []
-      original_fieldset: pe
-      short: Timestamp of the debug information.
+      original_fieldset: x509
+      short: Time at which the certificate is first considered valid.
       type: date
-    threat.enrichments.indicator.pe.debug.type:
-      dashed_name: threat-enrichments-indicator-pe-debug-type
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
-      flat_name: threat.enrichments.indicator.pe.debug.type
+    threat.enrichments.indicator.file.x509.public_key_algorithm:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: threat.enrichments.indicator.file.x509.public_key_algorithm
       ignore_above: 1024
       level: extended
-      name: debug.type
+      name: public_key_algorithm
       normalize: []
-      original_fieldset: pe
-      short: Information type generated by the debug options.
+      original_fieldset: x509
+      short: Algorithm used to generate the public key.
       type: keyword
-    threat.enrichments.indicator.pe.description:
-      dashed_name: threat-enrichments-indicator-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: threat.enrichments.indicator.pe.description
+    threat.enrichments.indicator.file.x509.public_key_curve:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: threat.enrichments.indicator.file.x509.public_key_curve
       ignore_above: 1024
       level: extended
-      name: description
+      name: public_key_curve
       normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
+      original_fieldset: x509
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
       type: keyword
-    threat.enrichments.indicator.pe.entry_point:
-      dashed_name: threat-enrichments-indicator-pe-entry-point
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
-      flat_name: threat.enrichments.indicator.pe.entry_point
-      ignore_above: 1024
+    threat.enrichments.indicator.file.x509.public_key_exponent:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: threat.enrichments.indicator.file.x509.public_key_exponent
+      index: false
       level: extended
-      name: entry_point
+      name: public_key_exponent
       normalize: []
-      original_fieldset: pe
-      short: Relative byte offset to the base of the PE file.
-      type: keyword
-    threat.enrichments.indicator.pe.exports:
-      dashed_name: threat-enrichments-indicator-pe-exports
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-      flat_name: threat.enrichments.indicator.pe.exports
-      ignore_above: 1024
+      original_fieldset: x509
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    threat.enrichments.indicator.file.x509.public_key_size:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: threat.enrichments.indicator.file.x509.public_key_size
       level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of symbols exported by PE
-      type: keyword
-    threat.enrichments.indicator.pe.file_version:
-      dashed_name: threat-enrichments-indicator-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: threat.enrichments.indicator.pe.file_version
+      name: public_key_size
+      normalize: []
+      original_fieldset: x509
+      short: The size of the public key space in bits.
+      type: long
+    threat.enrichments.indicator.file.x509.serial_number:
+      dashed_name: threat-enrichments-indicator-file-x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: threat.enrichments.indicator.file.x509.serial_number
       ignore_above: 1024
       level: extended
-      name: file_version
+      name: serial_number
       normalize: []
-      original_fieldset: pe
-      short: Process name.
+      original_fieldset: x509
+      short: Unique serial number issued by the certificate authority.
       type: keyword
-    threat.enrichments.indicator.pe.icon.hash.dhash:
-      dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
-      flat_name: threat.enrichments.indicator.pe.icon.hash.dhash
+    threat.enrichments.indicator.file.x509.signature_algorithm:
+      dashed_name: threat-enrichments-indicator-file-x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: threat.enrichments.indicator.file.x509.signature_algorithm
       ignore_above: 1024
       level: extended
-      name: icon.hash.dhash
+      name: signature_algorithm
       normalize: []
-      original_fieldset: pe
-      short: Difference Hash (dhash) to find files with a visually similar icon or
-        thumbnail.
+      original_fieldset: x509
+      short: Identifier for certificate signature algorithm.
       type: keyword
-    threat.enrichments.indicator.pe.imphash:
-      dashed_name: threat-enrichments-indicator-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: threat.enrichments.indicator.pe.imphash
+    threat.enrichments.indicator.file.x509.subject.common_name:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: threat.enrichments.indicator.file.x509.subject.common_name
       ignore_above: 1024
       level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    threat.enrichments.indicator.pe.imports:
-      dashed_name: threat-enrichments-indicator-pe-imports
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
-      flat_name: threat.enrichments.indicator.pe.imports
+      name: subject.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common names (CN) of subject.
+      type: keyword
+    threat.enrichments.indicator.file.x509.subject.country:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: threat.enrichments.indicator.file.x509.subject.country
+      ignore_above: 1024
       level: extended
-      name: imports
-      normalize: []
-      original_fieldset: pe
-      short: List of all imported functions
-      type: flattened
-    threat.enrichments.indicator.pe.machine_type:
-      dashed_name: threat-enrichments-indicator-pe-machine-type
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
-      flat_name: threat.enrichments.indicator.pe.machine_type
+      name: subject.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) code
+      type: keyword
+    threat.enrichments.indicator.file.x509.subject.distinguished_name:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: threat.enrichments.indicator.file.x509.subject.distinguished_name
       ignore_above: 1024
       level: extended
-      name: machine_type
+      name: subject.distinguished_name
       normalize: []
-      original_fieldset: pe
-      short: Machine type of the PE file.
+      original_fieldset: x509
+      short: Distinguished name (DN) of the certificate subject entity.
       type: keyword
-    threat.enrichments.indicator.pe.original_file_name:
-      dashed_name: threat-enrichments-indicator-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: threat.enrichments.indicator.pe.original_file_name
+    threat.enrichments.indicator.file.x509.subject.locality:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: threat.enrichments.indicator.file.x509.subject.locality
       ignore_above: 1024
       level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
+      name: subject.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
       type: keyword
-    threat.enrichments.indicator.pe.packers:
-      dashed_name: threat-enrichments-indicator-pe-packers
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
-      flat_name: threat.enrichments.indicator.pe.packers
+    threat.enrichments.indicator.file.x509.subject.organization:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: threat.enrichments.indicator.file.x509.subject.organization
       ignore_above: 1024
       level: extended
-      name: packers
+      name: subject.organization
       normalize:
       - array
-      original_fieldset: pe
-      short: List of packers and tools used.
+      original_fieldset: x509
+      short: List of organizations (O) of subject.
       type: keyword
-    threat.enrichments.indicator.pe.product:
-      dashed_name: threat-enrichments-indicator-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      flat_name: threat.enrichments.indicator.pe.product
+    threat.enrichments.indicator.file.x509.subject.organizational_unit:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: threat.enrichments.indicator.file.x509.subject.organizational_unit
       ignore_above: 1024
       level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
+      name: subject.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of subject.
       type: keyword
-    threat.enrichments.indicator.pe.resources:
-      dashed_name: threat-enrichments-indicator-pe-resources
-      description: 'An array containing an object for each PE resource, if present.
-
-        The expected fields for this nested object fall under the `resources.` prefix.'
-      flat_name: threat.enrichments.indicator.pe.resources
+    threat.enrichments.indicator.file.x509.subject.state_or_province:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.enrichments.indicator.file.x509.subject.state_or_province
+      ignore_above: 1024
       level: extended
-      name: resources
+      name: subject.state_or_province
       normalize:
       - array
-      original_fieldset: pe
-      short: PE resource information
-      type: nested
-    threat.enrichments.indicator.pe.resources.chi2:
-      dashed_name: threat-enrichments-indicator-pe-resources-chi2
-      description: Chi-square probability distribution.
-      example: -1
-      flat_name: threat.enrichments.indicator.pe.resources.chi2
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    threat.enrichments.indicator.file.x509.version_number:
+      dashed_name: threat-enrichments-indicator-file-x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: threat.enrichments.indicator.file.x509.version_number
+      ignore_above: 1024
       level: extended
-      name: resources.chi2
+      name: version_number
       normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    threat.enrichments.indicator.pe.resources.entropy:
-      dashed_name: threat-enrichments-indicator-pe-resources-entropy
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
-      flat_name: threat.enrichments.indicator.pe.resources.entropy
+      original_fieldset: x509
+      short: Version of x509 format.
+      type: keyword
+    threat.enrichments.indicator.first_seen:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-first-seen
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.first_seen
       level: extended
-      name: resources.entropy
+      name: enrichments.indicator.first_seen
       normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the resources section.
-      type: long
-    threat.enrichments.indicator.pe.resources.filetype:
-      dashed_name: threat-enrichments-indicator-pe-resources-filetype
-      description: File type of the resources section.
-      example: Data
-      flat_name: threat.enrichments.indicator.pe.resources.filetype
+      short: Date/time indicator was first reported.
+      type: date
+    threat.enrichments.indicator.geo.city_name:
+      dashed_name: threat-enrichments-indicator-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: threat.enrichments.indicator.geo.city_name
       ignore_above: 1024
-      level: extended
-      name: resources.filetype
+      level: core
+      name: city_name
       normalize: []
-      original_fieldset: pe
-      short: File type of the resources section.
+      original_fieldset: geo
+      short: City name.
       type: keyword
-    threat.enrichments.indicator.pe.resources.language:
-      dashed_name: threat-enrichments-indicator-pe-resources-language
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
-      flat_name: threat.enrichments.indicator.pe.resources.language
+    threat.enrichments.indicator.geo.continent_code:
+      dashed_name: threat-enrichments-indicator-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: threat.enrichments.indicator.geo.continent_code
       ignore_above: 1024
-      level: extended
-      name: resources.language
+      level: core
+      name: continent_code
       normalize: []
-      original_fieldset: pe
-      short: Language identification.
+      original_fieldset: geo
+      short: Continent code.
       type: keyword
-    threat.enrichments.indicator.pe.resources.sha256:
-      dashed_name: threat-enrichments-indicator-pe-resources-sha256
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-      flat_name: threat.enrichments.indicator.pe.resources.sha256
+    threat.enrichments.indicator.geo.continent_name:
+      dashed_name: threat-enrichments-indicator-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: threat.enrichments.indicator.geo.continent_name
       ignore_above: 1024
-      level: extended
-      name: resources.sha256
+      level: core
+      name: continent_name
       normalize: []
-      original_fieldset: pe
-      short: SHA256 hash of resources section.
+      original_fieldset: geo
+      short: Name of the continent.
       type: keyword
-    threat.enrichments.indicator.pe.resources.type:
-      dashed_name: threat-enrichments-indicator-pe-resources-type
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
-      flat_name: threat.enrichments.indicator.pe.resources.type
+    threat.enrichments.indicator.geo.country_iso_code:
+      dashed_name: threat-enrichments-indicator-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: threat.enrichments.indicator.geo.country_iso_code
       ignore_above: 1024
-      level: extended
-      name: resources.type
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of resource types.
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
       type: keyword
-    threat.enrichments.indicator.pe.rich_header.hash.md5:
-      dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-      flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5
+    threat.enrichments.indicator.geo.country_name:
+      dashed_name: threat-enrichments-indicator-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: threat.enrichments.indicator.geo.country_name
       ignore_above: 1024
-      level: extended
-      name: rich_header.hash.md5
+      level: core
+      name: country_name
       normalize: []
-      original_fieldset: pe
-      short: MD5 hash of the header for the PE file.
+      original_fieldset: geo
+      short: Country name.
       type: keyword
-    threat.enrichments.indicator.pe.sections:
-      dashed_name: threat-enrichments-indicator-pe-sections
-      description: Data about sections of compiled binary PE
-      flat_name: threat.enrichments.indicator.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Data about sections of the compiled binary PE
-      type: nested
-    threat.enrichments.indicator.pe.sections.chi2:
-      dashed_name: threat-enrichments-indicator-pe-sections-chi2
-      description: Chi-square probability distribution.
-      example: 3027194
-      flat_name: threat.enrichments.indicator.pe.sections.chi2
+    threat.enrichments.indicator.geo.location:
+      dashed_name: threat-enrichments-indicator-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: threat.enrichments.indicator.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    threat.enrichments.indicator.geo.name:
+      dashed_name: threat-enrichments-indicator-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: threat.enrichments.indicator.geo.name
+      ignore_above: 1024
       level: extended
-      name: sections.chi2
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    threat.enrichments.indicator.geo.postal_code:
+      dashed_name: threat-enrichments-indicator-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: threat.enrichments.indicator.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    threat.enrichments.indicator.geo.region_iso_code:
+      dashed_name: threat-enrichments-indicator-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: threat.enrichments.indicator.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    threat.enrichments.indicator.geo.region_name:
+      dashed_name: threat-enrichments-indicator-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: threat.enrichments.indicator.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
       normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    threat.enrichments.indicator.pe.sections.entropy:
-      dashed_name: threat-enrichments-indicator-pe-sections-entropy
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
-      flat_name: threat.enrichments.indicator.pe.sections.entropy
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    threat.enrichments.indicator.geo.timezone:
+      dashed_name: threat-enrichments-indicator-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: threat.enrichments.indicator.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    threat.enrichments.indicator.ip:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      flat_name: threat.enrichments.indicator.ip
       level: extended
-      name: sections.entropy
+      name: enrichments.indicator.ip
       normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the file.
-      type: float
-    threat.enrichments.indicator.pe.sections.flags:
-      dashed_name: threat-enrichments-indicator-pe-sections-flags
-      description: Section flags of the file.
-      example: rx
-      flat_name: threat.enrichments.indicator.pe.sections.flags
-      ignore_above: 1024
+      short: Indicator IP address
+      type: ip
+    threat.enrichments.indicator.last_seen:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-last-seen
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.last_seen
       level: extended
-      name: sections.flags
+      name: enrichments.indicator.last_seen
       normalize: []
-      original_fieldset: pe
-      short: Section flags of the file.
-      type: keyword
-    threat.enrichments.indicator.pe.sections.name:
-      dashed_name: threat-enrichments-indicator-pe-sections-name
-      description: Section names of the file.
-      example: .text, .data
-      flat_name: threat.enrichments.indicator.pe.sections.name
+      short: Date/time indicator was last reported.
+      type: date
+    threat.enrichments.indicator.marking.tlp:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-marking-tlp
+      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
+        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+      example: White
+      flat_name: threat.enrichments.indicator.marking.tlp
       ignore_above: 1024
       level: extended
-      name: sections.name
+      name: enrichments.indicator.marking.tlp
       normalize: []
-      original_fieldset: pe
-      short: Section names of the file.
+      short: Indicator TLP marking
       type: keyword
-    threat.enrichments.indicator.pe.sections.raw_size:
-      dashed_name: threat-enrichments-indicator-pe-sections-raw-size
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      flat_name: threat.enrichments.indicator.pe.sections.raw_size
-      format: bytes
-      level: extended
-      name: sections.raw_size
-      normalize: []
-      original_fieldset: pe
-      short: Size of the section or the dize of the initialized data on disk.
-      type: long
-    threat.enrichments.indicator.pe.sections.virtual_address:
-      dashed_name: threat-enrichments-indicator-pe-sections-virtual-address
-      description: Virtual address available to the file.
-      example: 8192
-      flat_name: threat.enrichments.indicator.pe.sections.virtual_address
-      format: bytes
+    threat.enrichments.indicator.modified_at:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-modified-at
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.modified_at
       level: extended
-      name: sections.virtual_address
+      name: enrichments.indicator.modified_at
       normalize: []
-      original_fieldset: pe
-      short: Virtual address available to the file.
-      type: long
+      short: Date/time indicator was last updated.
+      type: date
     threat.enrichments.indicator.port:
       beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-port
@@ -17277,6 +15925,16 @@ threat:
       normalize: []
       short: Matched indicator index
       type: keyword
+    threat.enrichments.matched.occurred:
+      dashed_name: threat-enrichments-matched-occurred
+      description: Indicates when the indicator match was generated
+      example: 2021-10-05 17:00:58.326000+00:00
+      flat_name: threat.enrichments.matched.occurred
+      level: extended
+      name: enrichments.matched.occurred
+      normalize: []
+      short: Date of match
+      type: date
     threat.enrichments.matched.type:
       beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-type
@@ -18032,6 +16690,61 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
+    threat.indicator.file.hash.md5:
+      dashed_name: threat-indicator-file-hash-md5
+      description: MD5 hash.
+      flat_name: threat.indicator.file.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    threat.indicator.file.hash.sha1:
+      dashed_name: threat-indicator-file-hash-sha1
+      description: SHA1 hash.
+      flat_name: threat.indicator.file.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    threat.indicator.file.hash.sha256:
+      dashed_name: threat-indicator-file-hash-sha256
+      description: SHA256 hash.
+      flat_name: threat.indicator.file.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    threat.indicator.file.hash.sha512:
+      dashed_name: threat-indicator-file-hash-sha512
+      description: SHA512 hash.
+      flat_name: threat.indicator.file.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    threat.indicator.file.hash.ssdeep:
+      dashed_name: threat-indicator-file-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: threat.indicator.file.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     threat.indicator.file.inode:
       dashed_name: threat-indicator-file-inode
       description: Inode representing the file in the filesystem.
@@ -18121,769 +16834,1020 @@ threat:
       original_fieldset: file
       short: Full path to the file, including the file name.
       type: keyword
-    threat.indicator.file.size:
-      dashed_name: threat-indicator-file-size
-      description: 'File size in bytes.
+    threat.indicator.file.pe.architecture:
+      dashed_name: threat-indicator-file-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: threat.indicator.file.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    threat.indicator.file.pe.authentihash:
+      dashed_name: threat-indicator-file-pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: threat.indicator.file.pe.authentihash
+      ignore_above: 1024
+      level: extended
+      name: authentihash
+      normalize: []
+      original_fieldset: pe
+      short: Authentihash of the PE file.
+      type: keyword
+    threat.indicator.file.pe.company:
+      dashed_name: threat-indicator-file-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: threat.indicator.file.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.file.pe.compile_timestamp:
+      dashed_name: threat-indicator-file-pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.file.pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Compile timestamp of the PE file.
+      type: date
+    threat.indicator.file.pe.compiler.name:
+      dashed_name: threat-indicator-file-pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: threat.indicator.file.pe.compiler.name
+      ignore_above: 1024
+      level: extended
+      name: compiler.name
+      normalize: []
+      original_fieldset: pe
+      short: Name of the compiler
+      type: keyword
+    threat.indicator.file.pe.compiler.version:
+      dashed_name: threat-indicator-file-pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: threat.indicator.file.pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      original_fieldset: pe
+      short: Version of the compiler.
+      type: keyword
+    threat.indicator.file.pe.creation_date:
+      dashed_name: threat-indicator-file-pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.file.pe.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: pe
+      short: Build or compile date.
+      type: date
+    threat.indicator.file.pe.debug:
+      dashed_name: threat-indicator-file-pe-debug
+      description: 'An array containing an object for each debug entry, if present.
 
-        Only relevant when `file.type` is "file".'
-      example: 16384
-      flat_name: threat.indicator.file.size
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: threat.indicator.file.pe.debug
       level: extended
-      name: size
+      name: debug
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Debug information
+      type: nested
+    threat.indicator.file.pe.debug.offset:
+      dashed_name: threat-indicator-file-pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: threat.indicator.file.pe.debug.offset
+      ignore_above: 1024
+      level: extended
+      name: debug.offset
       normalize: []
-      original_fieldset: file
-      short: File size in bytes.
+      original_fieldset: pe
+      short: Debug offset information.
+      type: keyword
+    threat.indicator.file.pe.debug.size:
+      dashed_name: threat-indicator-file-pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: threat.indicator.file.pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the debug information.
       type: long
-    threat.indicator.file.target_path:
-      dashed_name: threat-indicator-file-target-path
-      description: Target path for symlinks.
-      flat_name: threat.indicator.file.target_path
+    threat.indicator.file.pe.debug.timestamp:
+      dashed_name: threat-indicator-file-pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.file.pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Timestamp of the debug information.
+      type: date
+    threat.indicator.file.pe.debug.type:
+      dashed_name: threat-indicator-file-pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: threat.indicator.file.pe.debug.type
+      ignore_above: 1024
+      level: extended
+      name: debug.type
+      normalize: []
+      original_fieldset: pe
+      short: Information type generated by the debug options.
+      type: keyword
+    threat.indicator.file.pe.description:
+      dashed_name: threat-indicator-file-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: threat.indicator.file.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.file.pe.entry_point:
+      dashed_name: threat-indicator-file-pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: threat.indicator.file.pe.entry_point
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: threat.indicator.file.target_path.text
-        name: text
-        type: match_only_text
-      name: target_path
+      name: entry_point
       normalize: []
-      original_fieldset: file
-      short: Target path for symlinks.
+      original_fieldset: pe
+      short: Relative byte offset to the base of the PE file.
       type: keyword
-    threat.indicator.file.type:
-      dashed_name: threat-indicator-file-type
-      description: File type (file, dir, or symlink).
-      example: file
-      flat_name: threat.indicator.file.type
+    threat.indicator.file.pe.exports:
+      dashed_name: threat-indicator-file-pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: threat.indicator.file.pe.exports
       ignore_above: 1024
       level: extended
-      name: type
-      normalize: []
-      original_fieldset: file
-      short: File type (file, dir, or symlink).
+      name: exports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of symbols exported by PE
       type: keyword
-    threat.indicator.file.uid:
-      dashed_name: threat-indicator-file-uid
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
-      flat_name: threat.indicator.file.uid
+    threat.indicator.file.pe.file_version:
+      dashed_name: threat-indicator-file-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: threat.indicator.file.pe.file_version
       ignore_above: 1024
       level: extended
-      name: uid
+      name: file_version
       normalize: []
-      original_fieldset: file
-      short: The user ID (UID) or security identifier (SID) of the file owner.
+      original_fieldset: pe
+      short: Process name.
       type: keyword
-    threat.indicator.first_seen:
-      dashed_name: threat-indicator-first-seen
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.indicator.first_seen
+    threat.indicator.file.pe.icon.hash.dhash:
+      dashed_name: threat-indicator-file-pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: threat.indicator.file.pe.icon.hash.dhash
+      ignore_above: 1024
       level: extended
-      name: indicator.first_seen
+      name: icon.hash.dhash
       normalize: []
-      short: Date/time indicator was first reported.
-      type: date
-    threat.indicator.geo.city_name:
-      dashed_name: threat-indicator-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: threat.indicator.geo.city_name
+      original_fieldset: pe
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
+    threat.indicator.file.pe.imphash:
+      dashed_name: threat-indicator-file-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: threat.indicator.file.pe.imphash
       ignore_above: 1024
-      level: core
-      name: city_name
+      level: extended
+      name: imphash
       normalize: []
-      original_fieldset: geo
-      short: City name.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    threat.indicator.geo.continent_code:
-      dashed_name: threat-indicator-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: threat.indicator.geo.continent_code
+    threat.indicator.file.pe.imports:
+      dashed_name: threat-indicator-file-pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: threat.indicator.file.pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: pe
+      short: List of all imported functions
+      type: flattened
+    threat.indicator.file.pe.machine_type:
+      dashed_name: threat-indicator-file-pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: threat.indicator.file.pe.machine_type
       ignore_above: 1024
-      level: core
-      name: continent_code
+      level: extended
+      name: machine_type
       normalize: []
-      original_fieldset: geo
-      short: Continent code.
+      original_fieldset: pe
+      short: Machine type of the PE file.
       type: keyword
-    threat.indicator.geo.continent_name:
-      dashed_name: threat-indicator-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: threat.indicator.geo.continent_name
+    threat.indicator.file.pe.original_file_name:
+      dashed_name: threat-indicator-file-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: threat.indicator.file.pe.original_file_name
       ignore_above: 1024
-      level: core
-      name: continent_name
+      level: extended
+      name: original_file_name
       normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
       type: keyword
-    threat.indicator.geo.country_iso_code:
-      dashed_name: threat-indicator-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: threat.indicator.geo.country_iso_code
+    threat.indicator.file.pe.packers:
+      dashed_name: threat-indicator-file-pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: threat.indicator.file.pe.packers
       ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
+      level: extended
+      name: packers
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of packers and tools used.
       type: keyword
-    threat.indicator.geo.country_name:
-      dashed_name: threat-indicator-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: threat.indicator.geo.country_name
+    threat.indicator.file.pe.product:
+      dashed_name: threat-indicator-file-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: threat.indicator.file.pe.product
       ignore_above: 1024
-      level: core
-      name: country_name
+      level: extended
+      name: product
       normalize: []
-      original_fieldset: geo
-      short: Country name.
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
       type: keyword
-    threat.indicator.geo.location:
-      dashed_name: threat-indicator-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: threat.indicator.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    threat.indicator.geo.name:
-      dashed_name: threat-indicator-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
+    threat.indicator.file.pe.resources:
+      dashed_name: threat-indicator-file-pe-resources
+      description: 'An array containing an object for each PE resource, if present.
 
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: threat.indicator.geo.name
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: threat.indicator.file.pe.resources
+      level: extended
+      name: resources
+      normalize:
+      - array
+      original_fieldset: pe
+      short: PE resource information
+      type: nested
+    threat.indicator.file.pe.resources.chi2:
+      dashed_name: threat-indicator-file-pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: threat.indicator.file.pe.resources.chi2
+      level: extended
+      name: resources.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    threat.indicator.file.pe.resources.entropy:
+      dashed_name: threat-indicator-file-pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: threat.indicator.file.pe.resources.entropy
+      level: extended
+      name: resources.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    threat.indicator.file.pe.resources.filetype:
+      dashed_name: threat-indicator-file-pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: threat.indicator.file.pe.resources.filetype
       ignore_above: 1024
       level: extended
-      name: name
+      name: resources.filetype
       normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
+      original_fieldset: pe
+      short: File type of the resources section.
       type: keyword
-    threat.indicator.geo.postal_code:
-      dashed_name: threat-indicator-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: threat.indicator.geo.postal_code
+    threat.indicator.file.pe.resources.language:
+      dashed_name: threat-indicator-file-pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: threat.indicator.file.pe.resources.language
       ignore_above: 1024
-      level: core
-      name: postal_code
+      level: extended
+      name: resources.language
       normalize: []
-      original_fieldset: geo
-      short: Postal code.
+      original_fieldset: pe
+      short: Language identification.
       type: keyword
-    threat.indicator.geo.region_iso_code:
-      dashed_name: threat-indicator-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: threat.indicator.geo.region_iso_code
+    threat.indicator.file.pe.resources.sha256:
+      dashed_name: threat-indicator-file-pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: threat.indicator.file.pe.resources.sha256
       ignore_above: 1024
-      level: core
-      name: region_iso_code
+      level: extended
+      name: resources.sha256
       normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
+      original_fieldset: pe
+      short: SHA256 hash of resources section.
       type: keyword
-    threat.indicator.geo.region_name:
-      dashed_name: threat-indicator-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: threat.indicator.geo.region_name
+    threat.indicator.file.pe.resources.type:
+      dashed_name: threat-indicator-file-pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: threat.indicator.file.pe.resources.type
+      ignore_above: 1024
+      level: extended
+      name: resources.type
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of resource types.
+      type: keyword
+    threat.indicator.file.pe.rich_header.hash.md5:
+      dashed_name: threat-indicator-file-pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: threat.indicator.file.pe.rich_header.hash.md5
       ignore_above: 1024
-      level: core
-      name: region_name
+      level: extended
+      name: rich_header.hash.md5
       normalize: []
-      original_fieldset: geo
-      short: Region name.
+      original_fieldset: pe
+      short: MD5 hash of the header for the PE file.
       type: keyword
-    threat.indicator.geo.timezone:
-      dashed_name: threat-indicator-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: threat.indicator.geo.timezone
+    threat.indicator.file.pe.sections:
+      dashed_name: threat-indicator-file-pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: threat.indicator.file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Data about sections of the compiled binary PE
+      type: nested
+    threat.indicator.file.pe.sections.chi2:
+      dashed_name: threat-indicator-file-pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: threat.indicator.file.pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    threat.indicator.file.pe.sections.entropy:
+      dashed_name: threat-indicator-file-pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: threat.indicator.file.pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the file.
+      type: float
+    threat.indicator.file.pe.sections.flags:
+      dashed_name: threat-indicator-file-pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: threat.indicator.file.pe.sections.flags
       ignore_above: 1024
-      level: core
-      name: timezone
+      level: extended
+      name: sections.flags
       normalize: []
-      original_fieldset: geo
-      short: Time zone.
+      original_fieldset: pe
+      short: Section flags of the file.
       type: keyword
-    threat.indicator.hash.md5:
-      dashed_name: threat-indicator-hash-md5
-      description: MD5 hash.
-      flat_name: threat.indicator.hash.md5
+    threat.indicator.file.pe.sections.name:
+      dashed_name: threat-indicator-file-pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: threat.indicator.file.pe.sections.name
       ignore_above: 1024
       level: extended
-      name: md5
+      name: sections.name
       normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
+      original_fieldset: pe
+      short: Section names of the file.
       type: keyword
-    threat.indicator.hash.sha1:
-      dashed_name: threat-indicator-hash-sha1
-      description: SHA1 hash.
-      flat_name: threat.indicator.hash.sha1
+    threat.indicator.file.pe.sections.raw_size:
+      dashed_name: threat-indicator-file-pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: threat.indicator.file.pe.sections.raw_size
+      format: bytes
+      level: extended
+      name: sections.raw_size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    threat.indicator.file.pe.sections.virtual_address:
+      dashed_name: threat-indicator-file-pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: threat.indicator.file.pe.sections.virtual_address
+      format: bytes
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: pe
+      short: Virtual address available to the file.
+      type: long
+    threat.indicator.file.size:
+      dashed_name: threat-indicator-file-size
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      flat_name: threat.indicator.file.size
+      level: extended
+      name: size
+      normalize: []
+      original_fieldset: file
+      short: File size in bytes.
+      type: long
+    threat.indicator.file.target_path:
+      dashed_name: threat-indicator-file-target-path
+      description: Target path for symlinks.
+      flat_name: threat.indicator.file.target_path
       ignore_above: 1024
       level: extended
-      name: sha1
+      multi_fields:
+      - flat_name: threat.indicator.file.target_path.text
+        name: text
+        type: match_only_text
+      name: target_path
       normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
+      original_fieldset: file
+      short: Target path for symlinks.
       type: keyword
-    threat.indicator.hash.sha256:
-      dashed_name: threat-indicator-hash-sha256
-      description: SHA256 hash.
-      flat_name: threat.indicator.hash.sha256
+    threat.indicator.file.type:
+      dashed_name: threat-indicator-file-type
+      description: File type (file, dir, or symlink).
+      example: file
+      flat_name: threat.indicator.file.type
       ignore_above: 1024
       level: extended
-      name: sha256
+      name: type
       normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
+      original_fieldset: file
+      short: File type (file, dir, or symlink).
       type: keyword
-    threat.indicator.hash.sha512:
-      dashed_name: threat-indicator-hash-sha512
-      description: SHA512 hash.
-      flat_name: threat.indicator.hash.sha512
+    threat.indicator.file.uid:
+      dashed_name: threat-indicator-file-uid
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      flat_name: threat.indicator.file.uid
       ignore_above: 1024
       level: extended
-      name: sha512
+      name: uid
       normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
+      original_fieldset: file
+      short: The user ID (UID) or security identifier (SID) of the file owner.
       type: keyword
-    threat.indicator.hash.ssdeep:
-      dashed_name: threat-indicator-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: threat.indicator.hash.ssdeep
+    threat.indicator.file.x509.alternative_names:
+      dashed_name: threat-indicator-file-x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: threat.indicator.file.x509.alternative_names
       ignore_above: 1024
       level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
+      name: alternative_names
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of subject alternative names (SAN).
       type: keyword
-    threat.indicator.ip:
-      dashed_name: threat-indicator-ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
-      flat_name: threat.indicator.ip
+    threat.indicator.file.x509.issuer.common_name:
+      dashed_name: threat-indicator-file-x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: threat.indicator.file.x509.issuer.common_name
+      ignore_above: 1024
       level: extended
-      name: indicator.ip
-      normalize: []
-      short: Indicator IP address
-      type: ip
-    threat.indicator.last_seen:
-      dashed_name: threat-indicator-last-seen
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.indicator.last_seen
+      name: issuer.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common name (CN) of issuing certificate authority.
+      type: keyword
+    threat.indicator.file.x509.issuer.country:
+      dashed_name: threat-indicator-file-x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: threat.indicator.file.x509.issuer.country
+      ignore_above: 1024
       level: extended
-      name: indicator.last_seen
-      normalize: []
-      short: Date/time indicator was last reported.
-      type: date
-    threat.indicator.marking.tlp:
-      dashed_name: threat-indicator-marking-tlp
-      description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
-        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-      example: WHITE
-      flat_name: threat.indicator.marking.tlp
+      name: issuer.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) codes
+      type: keyword
+    threat.indicator.file.x509.issuer.distinguished_name:
+      dashed_name: threat-indicator-file-x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: threat.indicator.file.x509.issuer.distinguished_name
       ignore_above: 1024
       level: extended
-      name: indicator.marking.tlp
+      name: issuer.distinguished_name
       normalize: []
-      short: Indicator TLP marking
+      original_fieldset: x509
+      short: Distinguished name (DN) of issuing certificate authority.
       type: keyword
-    threat.indicator.modified_at:
-      dashed_name: threat-indicator-modified-at
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.indicator.modified_at
+    threat.indicator.file.x509.issuer.locality:
+      dashed_name: threat-indicator-file-x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: threat.indicator.file.x509.issuer.locality
+      ignore_above: 1024
       level: extended
-      name: indicator.modified_at
-      normalize: []
-      short: Date/time indicator was last updated.
-      type: date
-    threat.indicator.pe.architecture:
-      dashed_name: threat-indicator-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: threat.indicator.pe.architecture
+      name: issuer.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    threat.indicator.file.x509.issuer.organization:
+      dashed_name: threat-indicator-file-x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: threat.indicator.file.x509.issuer.organization
       ignore_above: 1024
       level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
+      name: issuer.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of issuing certificate authority.
       type: keyword
-    threat.indicator.pe.authentihash:
-      dashed_name: threat-indicator-pe-authentihash
-      description: Authentihash of the PE file.
-      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
-      flat_name: threat.indicator.pe.authentihash
+    threat.indicator.file.x509.issuer.organizational_unit:
+      dashed_name: threat-indicator-file-x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: threat.indicator.file.x509.issuer.organizational_unit
       ignore_above: 1024
       level: extended
-      name: authentihash
-      normalize: []
-      original_fieldset: pe
-      short: Authentihash of the PE file.
+      name: issuer.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of issuing certificate authority.
       type: keyword
-    threat.indicator.pe.company:
-      dashed_name: threat-indicator-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: threat.indicator.pe.company
+    threat.indicator.file.x509.issuer.state_or_province:
+      dashed_name: threat-indicator-file-x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.indicator.file.x509.issuer.state_or_province
       ignore_above: 1024
       level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
+      name: issuer.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
       type: keyword
-    threat.indicator.pe.compile_timestamp:
-      dashed_name: threat-indicator-pe-compile-timestamp
-      description: Compile timestamp of the PE file.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.indicator.pe.compile_timestamp
+    threat.indicator.file.x509.not_after:
+      dashed_name: threat-indicator-file-x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: threat.indicator.file.x509.not_after
+      level: extended
+      name: not_after
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    threat.indicator.file.x509.not_before:
+      dashed_name: threat-indicator-file-x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: threat.indicator.file.x509.not_before
       level: extended
-      name: compile_timestamp
+      name: not_before
       normalize: []
-      original_fieldset: pe
-      short: Compile timestamp of the PE file.
+      original_fieldset: x509
+      short: Time at which the certificate is first considered valid.
       type: date
-    threat.indicator.pe.compiler.name:
-      dashed_name: threat-indicator-pe-compiler-name
-      description: Name of the compiler
-      example: Clang
-      flat_name: threat.indicator.pe.compiler.name
+    threat.indicator.file.x509.public_key_algorithm:
+      dashed_name: threat-indicator-file-x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: threat.indicator.file.x509.public_key_algorithm
       ignore_above: 1024
       level: extended
-      name: compiler.name
+      name: public_key_algorithm
       normalize: []
-      original_fieldset: pe
-      short: Name of the compiler
+      original_fieldset: x509
+      short: Algorithm used to generate the public key.
       type: keyword
-    threat.indicator.pe.compiler.version:
-      dashed_name: threat-indicator-pe-compiler-version
-      description: Version of the compiler.
-      example: 11.0.0
-      flat_name: threat.indicator.pe.compiler.version
+    threat.indicator.file.x509.public_key_curve:
+      dashed_name: threat-indicator-file-x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: threat.indicator.file.x509.public_key_curve
       ignore_above: 1024
       level: extended
-      name: compiler.version
+      name: public_key_curve
       normalize: []
-      original_fieldset: pe
-      short: Version of the compiler.
+      original_fieldset: x509
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
       type: keyword
-    threat.indicator.pe.creation_date:
-      dashed_name: threat-indicator-pe-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.indicator.pe.creation_date
+    threat.indicator.file.x509.public_key_exponent:
+      dashed_name: threat-indicator-file-x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: threat.indicator.file.x509.public_key_exponent
+      index: false
       level: extended
-      name: creation_date
+      name: public_key_exponent
       normalize: []
-      original_fieldset: pe
-      short: Build or compile date.
-      type: date
-    threat.indicator.pe.debug:
-      dashed_name: threat-indicator-pe-debug
-      description: 'An array containing an object for each debug entry, if present.
-
-        The expected fields for this nested object fall under the `debug.` prefix.'
-      flat_name: threat.indicator.pe.debug
+      original_fieldset: x509
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    threat.indicator.file.x509.public_key_size:
+      dashed_name: threat-indicator-file-x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: threat.indicator.file.x509.public_key_size
       level: extended
-      name: debug
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Debug information
-      type: nested
-    threat.indicator.pe.debug.offset:
-      dashed_name: threat-indicator-pe-debug-offset
-      description: Debug offset information.
-      example: 1296336
-      flat_name: threat.indicator.pe.debug.offset
+      name: public_key_size
+      normalize: []
+      original_fieldset: x509
+      short: The size of the public key space in bits.
+      type: long
+    threat.indicator.file.x509.serial_number:
+      dashed_name: threat-indicator-file-x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: threat.indicator.file.x509.serial_number
       ignore_above: 1024
       level: extended
-      name: debug.offset
+      name: serial_number
       normalize: []
-      original_fieldset: pe
-      short: Debug offset information.
+      original_fieldset: x509
+      short: Unique serial number issued by the certificate authority.
       type: keyword
-    threat.indicator.pe.debug.size:
-      dashed_name: threat-indicator-pe-debug-size
-      description: Size of the debug information.
-      example: 816
-      flat_name: threat.indicator.pe.debug.size
-      format: bytes
+    threat.indicator.file.x509.signature_algorithm:
+      dashed_name: threat-indicator-file-x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: threat.indicator.file.x509.signature_algorithm
+      ignore_above: 1024
       level: extended
-      name: debug.size
+      name: signature_algorithm
       normalize: []
-      original_fieldset: pe
-      short: Size of the debug information.
-      type: long
-    threat.indicator.pe.debug.timestamp:
-      dashed_name: threat-indicator-pe-debug-timestamp
-      description: Timestamp of the debug information.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.indicator.pe.debug.timestamp
+      original_fieldset: x509
+      short: Identifier for certificate signature algorithm.
+      type: keyword
+    threat.indicator.file.x509.subject.common_name:
+      dashed_name: threat-indicator-file-x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: threat.indicator.file.x509.subject.common_name
+      ignore_above: 1024
       level: extended
-      name: debug.timestamp
-      normalize: []
-      original_fieldset: pe
-      short: Timestamp of the debug information.
-      type: date
-    threat.indicator.pe.debug.type:
-      dashed_name: threat-indicator-pe-debug-type
-      description: Information type generated by the debug options.
-      example: IMAGE_DEBUG_TYPE_POGO
-      flat_name: threat.indicator.pe.debug.type
+      name: subject.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common names (CN) of subject.
+      type: keyword
+    threat.indicator.file.x509.subject.country:
+      dashed_name: threat-indicator-file-x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: threat.indicator.file.x509.subject.country
       ignore_above: 1024
       level: extended
-      name: debug.type
-      normalize: []
-      original_fieldset: pe
-      short: Information type generated by the debug options.
+      name: subject.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) code
       type: keyword
-    threat.indicator.pe.description:
-      dashed_name: threat-indicator-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: threat.indicator.pe.description
+    threat.indicator.file.x509.subject.distinguished_name:
+      dashed_name: threat-indicator-file-x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: threat.indicator.file.x509.subject.distinguished_name
       ignore_above: 1024
       level: extended
-      name: description
+      name: subject.distinguished_name
       normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
+      original_fieldset: x509
+      short: Distinguished name (DN) of the certificate subject entity.
       type: keyword
-    threat.indicator.pe.entry_point:
-      dashed_name: threat-indicator-pe-entry-point
-      description: Relative byte offset to the base of the PE file.
-      example: 25856
-      flat_name: threat.indicator.pe.entry_point
+    threat.indicator.file.x509.subject.locality:
+      dashed_name: threat-indicator-file-x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: threat.indicator.file.x509.subject.locality
       ignore_above: 1024
       level: extended
-      name: entry_point
-      normalize: []
-      original_fieldset: pe
-      short: Relative byte offset to the base of the PE file.
+      name: subject.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
       type: keyword
-    threat.indicator.pe.exports:
-      dashed_name: threat-indicator-pe-exports
-      description: List of symbols exported by PE
-      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
-      flat_name: threat.indicator.pe.exports
+    threat.indicator.file.x509.subject.organization:
+      dashed_name: threat-indicator-file-x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: threat.indicator.file.x509.subject.organization
       ignore_above: 1024
       level: extended
-      name: exports
+      name: subject.organization
       normalize:
       - array
-      original_fieldset: pe
-      short: List of symbols exported by PE
+      original_fieldset: x509
+      short: List of organizations (O) of subject.
       type: keyword
-    threat.indicator.pe.file_version:
-      dashed_name: threat-indicator-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: threat.indicator.pe.file_version
+    threat.indicator.file.x509.subject.organizational_unit:
+      dashed_name: threat-indicator-file-x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: threat.indicator.file.x509.subject.organizational_unit
       ignore_above: 1024
       level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
+      name: subject.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of subject.
       type: keyword
-    threat.indicator.pe.icon.hash.dhash:
-      dashed_name: threat-indicator-pe-icon-hash-dhash
-      description: Difference Hash (dhash) to find files with a visually similar icon
-        or thumbnail.
-      example: b806e17c8e330d82
-      flat_name: threat.indicator.pe.icon.hash.dhash
+    threat.indicator.file.x509.subject.state_or_province:
+      dashed_name: threat-indicator-file-x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.indicator.file.x509.subject.state_or_province
       ignore_above: 1024
       level: extended
-      name: icon.hash.dhash
-      normalize: []
-      original_fieldset: pe
-      short: Difference Hash (dhash) to find files with a visually similar icon or
-        thumbnail.
+      name: subject.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
       type: keyword
-    threat.indicator.pe.imphash:
-      dashed_name: threat-indicator-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: threat.indicator.pe.imphash
+    threat.indicator.file.x509.version_number:
+      dashed_name: threat-indicator-file-x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: threat.indicator.file.x509.version_number
       ignore_above: 1024
       level: extended
-      name: imphash
+      name: version_number
       normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
+      original_fieldset: x509
+      short: Version of x509 format.
       type: keyword
-    threat.indicator.pe.imports:
-      dashed_name: threat-indicator-pe-imports
-      description: List of all imported functions
-      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
-        }'
-      flat_name: threat.indicator.pe.imports
+    threat.indicator.first_seen:
+      dashed_name: threat-indicator-first-seen
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.first_seen
       level: extended
-      name: imports
+      name: indicator.first_seen
       normalize: []
-      original_fieldset: pe
-      short: List of all imported functions
-      type: flattened
-    threat.indicator.pe.machine_type:
-      dashed_name: threat-indicator-pe-machine-type
-      description: Machine type of the PE file.
-      example: Intel 386 or later, and compatibles
-      flat_name: threat.indicator.pe.machine_type
+      short: Date/time indicator was first reported.
+      type: date
+    threat.indicator.geo.city_name:
+      dashed_name: threat-indicator-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: threat.indicator.geo.city_name
       ignore_above: 1024
-      level: extended
-      name: machine_type
+      level: core
+      name: city_name
       normalize: []
-      original_fieldset: pe
-      short: Machine type of the PE file.
+      original_fieldset: geo
+      short: City name.
       type: keyword
-    threat.indicator.pe.original_file_name:
-      dashed_name: threat-indicator-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: threat.indicator.pe.original_file_name
+    threat.indicator.geo.continent_code:
+      dashed_name: threat-indicator-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: threat.indicator.geo.continent_code
       ignore_above: 1024
-      level: extended
-      name: original_file_name
+      level: core
+      name: continent_code
       normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
+      original_fieldset: geo
+      short: Continent code.
       type: keyword
-    threat.indicator.pe.packers:
-      dashed_name: threat-indicator-pe-packers
-      description: List of packers and tools used.
-      example: '["ASPack v2.12", ".NET executable"]'
-      flat_name: threat.indicator.pe.packers
+    threat.indicator.geo.continent_name:
+      dashed_name: threat-indicator-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: threat.indicator.geo.continent_name
       ignore_above: 1024
-      level: extended
-      name: packers
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of packers and tools used.
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
       type: keyword
-    threat.indicator.pe.product:
-      dashed_name: threat-indicator-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      flat_name: threat.indicator.pe.product
+    threat.indicator.geo.country_iso_code:
+      dashed_name: threat-indicator-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: threat.indicator.geo.country_iso_code
       ignore_above: 1024
-      level: extended
-      name: product
+      level: core
+      name: country_iso_code
       normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
+      original_fieldset: geo
+      short: Country ISO code.
       type: keyword
-    threat.indicator.pe.resources:
-      dashed_name: threat-indicator-pe-resources
-      description: 'An array containing an object for each PE resource, if present.
-
-        The expected fields for this nested object fall under the `resources.` prefix.'
-      flat_name: threat.indicator.pe.resources
-      level: extended
-      name: resources
-      normalize:
-      - array
-      original_fieldset: pe
-      short: PE resource information
-      type: nested
-    threat.indicator.pe.resources.chi2:
-      dashed_name: threat-indicator-pe-resources-chi2
-      description: Chi-square probability distribution.
-      example: -1
-      flat_name: threat.indicator.pe.resources.chi2
-      level: extended
-      name: resources.chi2
+    threat.indicator.geo.country_name:
+      dashed_name: threat-indicator-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: threat.indicator.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
       normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    threat.indicator.pe.resources.entropy:
-      dashed_name: threat-indicator-pe-resources-entropy
-      description: Measurement of entropy randomness in the resources section.
-      example: 0, 1
-      flat_name: threat.indicator.pe.resources.entropy
-      level: extended
-      name: resources.entropy
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    threat.indicator.geo.location:
+      dashed_name: threat-indicator-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: threat.indicator.geo.location
+      level: core
+      name: location
       normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the resources section.
-      type: long
-    threat.indicator.pe.resources.filetype:
-      dashed_name: threat-indicator-pe-resources-filetype
-      description: File type of the resources section.
-      example: Data
-      flat_name: threat.indicator.pe.resources.filetype
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    threat.indicator.geo.name:
+      dashed_name: threat-indicator-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: threat.indicator.geo.name
       ignore_above: 1024
       level: extended
-      name: resources.filetype
+      name: name
       normalize: []
-      original_fieldset: pe
-      short: File type of the resources section.
+      original_fieldset: geo
+      short: User-defined description of a location.
       type: keyword
-    threat.indicator.pe.resources.language:
-      dashed_name: threat-indicator-pe-resources-language
-      description: Language identification.
-      example: CHINESE SIMPLIFIED
-      flat_name: threat.indicator.pe.resources.language
+    threat.indicator.geo.postal_code:
+      dashed_name: threat-indicator-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: threat.indicator.geo.postal_code
       ignore_above: 1024
-      level: extended
-      name: resources.language
+      level: core
+      name: postal_code
       normalize: []
-      original_fieldset: pe
-      short: Language identification.
+      original_fieldset: geo
+      short: Postal code.
       type: keyword
-    threat.indicator.pe.resources.sha256:
-      dashed_name: threat-indicator-pe-resources-sha256
-      description: SHA256 hash of resources section.
-      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-      flat_name: threat.indicator.pe.resources.sha256
+    threat.indicator.geo.region_iso_code:
+      dashed_name: threat-indicator-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: threat.indicator.geo.region_iso_code
       ignore_above: 1024
-      level: extended
-      name: resources.sha256
+      level: core
+      name: region_iso_code
       normalize: []
-      original_fieldset: pe
-      short: SHA256 hash of resources section.
+      original_fieldset: geo
+      short: Region ISO code.
       type: keyword
-    threat.indicator.pe.resources.type:
-      dashed_name: threat-indicator-pe-resources-type
-      description: Digest of resource types.
-      example: '["RT_VERSION", "RT_MANIFEST"]'
-      flat_name: threat.indicator.pe.resources.type
+    threat.indicator.geo.region_name:
+      dashed_name: threat-indicator-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: threat.indicator.geo.region_name
       ignore_above: 1024
-      level: extended
-      name: resources.type
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of resource types.
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
       type: keyword
-    threat.indicator.pe.rich_header.hash.md5:
-      dashed_name: threat-indicator-pe-rich-header-hash-md5
-      description: MD5 hash of the header for the PE file.
-      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
-      flat_name: threat.indicator.pe.rich_header.hash.md5
+    threat.indicator.geo.timezone:
+      dashed_name: threat-indicator-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: threat.indicator.geo.timezone
       ignore_above: 1024
-      level: extended
-      name: rich_header.hash.md5
+      level: core
+      name: timezone
       normalize: []
-      original_fieldset: pe
-      short: MD5 hash of the header for the PE file.
+      original_fieldset: geo
+      short: Time zone.
       type: keyword
-    threat.indicator.pe.sections:
-      dashed_name: threat-indicator-pe-sections
-      description: Data about sections of compiled binary PE
-      flat_name: threat.indicator.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Data about sections of the compiled binary PE
-      type: nested
-    threat.indicator.pe.sections.chi2:
-      dashed_name: threat-indicator-pe-sections-chi2
-      description: Chi-square probability distribution.
-      example: 3027194
-      flat_name: threat.indicator.pe.sections.chi2
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: pe
-      short: Chi-square probability distribution.
-      type: long
-    threat.indicator.pe.sections.entropy:
-      dashed_name: threat-indicator-pe-sections-entropy
-      description: Measurement of entropy randomness in the file.
-      example: 6.24
-      flat_name: threat.indicator.pe.sections.entropy
+    threat.indicator.ip:
+      dashed_name: threat-indicator-ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      flat_name: threat.indicator.ip
       level: extended
-      name: sections.entropy
+      name: indicator.ip
       normalize: []
-      original_fieldset: pe
-      short: Measurement of entropy randomness in the file.
-      type: float
-    threat.indicator.pe.sections.flags:
-      dashed_name: threat-indicator-pe-sections-flags
-      description: Section flags of the file.
-      example: rx
-      flat_name: threat.indicator.pe.sections.flags
-      ignore_above: 1024
+      short: Indicator IP address
+      type: ip
+    threat.indicator.last_seen:
+      dashed_name: threat-indicator-last-seen
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.last_seen
       level: extended
-      name: sections.flags
+      name: indicator.last_seen
       normalize: []
-      original_fieldset: pe
-      short: Section flags of the file.
-      type: keyword
-    threat.indicator.pe.sections.name:
-      dashed_name: threat-indicator-pe-sections-name
-      description: Section names of the file.
-      example: .text, .data
-      flat_name: threat.indicator.pe.sections.name
+      short: Date/time indicator was last reported.
+      type: date
+    threat.indicator.marking.tlp:
+      dashed_name: threat-indicator-marking-tlp
+      description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
+        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+      example: WHITE
+      flat_name: threat.indicator.marking.tlp
       ignore_above: 1024
       level: extended
-      name: sections.name
+      name: indicator.marking.tlp
       normalize: []
-      original_fieldset: pe
-      short: Section names of the file.
+      short: Indicator TLP marking
       type: keyword
-    threat.indicator.pe.sections.raw_size:
-      dashed_name: threat-indicator-pe-sections-raw-size
-      description: Size of the section or the dize of the initialized data on disk.
-      example: 198144
-      flat_name: threat.indicator.pe.sections.raw_size
-      format: bytes
-      level: extended
-      name: sections.raw_size
-      normalize: []
-      original_fieldset: pe
-      short: Size of the section or the dize of the initialized data on disk.
-      type: long
-    threat.indicator.pe.sections.virtual_address:
-      dashed_name: threat-indicator-pe-sections-virtual-address
-      description: Virtual address available to the file.
-      example: 8192
-      flat_name: threat.indicator.pe.sections.virtual_address
-      format: bytes
+    threat.indicator.modified_at:
+      dashed_name: threat-indicator-modified-at
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.modified_at
       level: extended
-      name: sections.virtual_address
+      name: indicator.modified_at
       normalize: []
-      original_fieldset: pe
-      short: Virtual address available to the file.
-      type: long
+      short: Date/time indicator was last updated.
+      type: date
     threat.indicator.port:
       dashed_name: threat-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
@@ -19788,21 +18752,24 @@ threat:
   - threat.enrichments.indicator.as
   - threat.enrichments.indicator.file
   - threat.enrichments.indicator.geo
-  - threat.enrichments.indicator.hash
-  - threat.enrichments.indicator.pe
   - threat.enrichments.indicator.registry
   - threat.enrichments.indicator.url
   - threat.enrichments.indicator.x509
   - threat.indicator.as
   - threat.indicator.file
   - threat.indicator.geo
-  - threat.indicator.hash
-  - threat.indicator.pe
   - threat.indicator.registry
   - threat.indicator.url
   - threat.indicator.x509
   prefix: threat.
   reused_here:
+  - full: threat.indicator.x509
+    schema_name: x509
+    short: These fields contain x509 certificate metadata.
+  - beta: Reusing the `x509` fields in this location is currently considered beta.
+    full: threat.enrichments.indicator.x509
+    schema_name: x509
+    short: These fields contain x509 certificate metadata.
   - full: threat.indicator.as
     schema_name: as
     short: Fields describing an Autonomous System (Internet routing prefix).
@@ -19824,20 +18791,6 @@ threat:
     full: threat.enrichments.indicator.geo
     schema_name: geo
     short: Fields describing a location.
-  - full: threat.indicator.hash
-    schema_name: hash
-    short: Hashes, usually file hashes.
-  - beta: Reusing the `hash` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.hash
-    schema_name: hash
-    short: Hashes, usually file hashes.
-  - full: threat.indicator.pe
-    schema_name: pe
-    short: These fields contain Windows Portable Executable (PE) metadata.
-  - beta: Reusing the `pe` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.pe
-    schema_name: pe
-    short: These fields contain Windows Portable Executable (PE) metadata.
   - full: threat.indicator.registry
     schema_name: registry
     short: Fields related to Windows Registry operations.
@@ -19852,13 +18805,6 @@ threat:
     full: threat.enrichments.indicator.url
     schema_name: url
     short: Fields that let you store URLs in various forms.
-  - full: threat.indicator.x509
-    schema_name: x509
-    short: These fields contain x509 certificate metadata.
-  - beta: Reusing the `x509` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.x509
-    schema_name: x509
-    short: These fields contain x509 certificate metadata.
   short: Fields to classify events and alerts according to a threat taxonomy.
   title: Threat
   type: group
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index c605a479aa..95533648ae 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.0.0-dev+exp"
+      "version": "8.1.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
@@ -54,6 +54,48 @@
           }
         }
       },
+      "cgroup": {
+        "properties": {
+          "cpu": {
+            "properties": {
+              "periods": {
+                "type": "long"
+              },
+              "throttled": {
+                "properties": {
+                  "us": {
+                    "type": "long"
+                  }
+                }
+              },
+              "usage": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "memory": {
+            "properties": {
+              "limit": {
+                "type": "long"
+              },
+              "swap": {
+                "properties": {
+                  "usage": {
+                    "type": "long"
+                  }
+                }
+              },
+              "usage": {
+                "type": "long"
+              }
+            }
+          },
+          "version": {
+            "type": "long"
+          }
+        }
+      },
       "client": {
         "properties": {
           "address": {
@@ -267,6 +309,74 @@
               }
             }
           },
+          "origin": {
+            "properties": {
+              "account": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "availability_zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "instance": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "machine": {
+                "properties": {
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "project": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "service": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
           "project": {
             "properties": {
               "id": {
@@ -294,6 +404,74 @@
                 "type": "keyword"
               }
             }
+          },
+          "target": {
+            "properties": {
+              "account": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "availability_zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "instance": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "machine": {
+                "properties": {
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "project": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "service": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
           }
         }
       },
@@ -1121,6 +1299,30 @@
           }
         }
       },
+      "faas": {
+        "properties": {
+          "coldstart": {
+            "type": "boolean"
+          },
+          "execution": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "trigger": {
+            "properties": {
+              "request_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "nested"
+          }
+        }
+      },
       "file": {
         "properties": {
           "accessed": {
@@ -3025,9 +3227,6 @@
               "pid": {
                 "type": "long"
               },
-              "ppid": {
-                "type": "long"
-              },
               "start": {
                 "type": "date"
               },
@@ -3239,928 +3438,53 @@
           "pid": {
             "type": "long"
           },
-          "ppid": {
-            "type": "long"
-          },
           "start": {
             "type": "date"
           },
-          "target": {
+          "thread": {
             "properties": {
-              "args": {
+              "id": {
+                "type": "long"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "title": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uptime": {
+            "type": "long"
+          },
+          "working_directory": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "registry": {
+        "properties": {
+          "data": {
+            "properties": {
+              "bytes": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "args_count": {
-                "type": "long"
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "hash": {
-                "properties": {
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "args": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "args_count": {
-                    "type": "long"
-                  },
-                  "code_signature": {
-                    "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exists": {
-                        "type": "boolean"
-                      },
-                      "signing_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "team_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "trusted": {
-                        "type": "boolean"
-                      },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
-                  },
-                  "command_line": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  },
-                  "elf": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "telfhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "end": {
-                    "type": "date"
-                  },
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "executable": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exit_code": {
-                    "type": "long"
-                  },
-                  "hash": {
-                    "properties": {
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "authentihash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "compile_timestamp": {
-                        "type": "date"
-                      },
-                      "compiler": {
-                        "properties": {
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "debug": {
-                        "properties": {
-                          "offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "size": {
-                            "type": "long"
-                          },
-                          "timestamp": {
-                            "type": "date"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entry_point": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exports": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "icon": {
-                        "properties": {
-                          "hash": {
-                            "properties": {
-                              "dhash": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "machine_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "packers": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "resources": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "filetype": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "language": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha256": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "rich_header": {
-                        "properties": {
-                          "hash": {
-                            "properties": {
-                              "md5": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "float"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw_size": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
-                  "pgid": {
-                    "type": "long"
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "ppid": {
-                    "type": "long"
-                  },
-                  "start": {
-                    "type": "date"
-                  },
-                  "thread": {
-                    "properties": {
-                      "id": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "title": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "uptime": {
-                    "type": "long"
-                  },
-                  "working_directory": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "authentihash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "compile_timestamp": {
-                    "type": "date"
-                  },
-                  "compiler": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "debug": {
-                    "properties": {
-                      "offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "size": {
-                        "type": "long"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entry_point": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exports": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "icon": {
-                    "properties": {
-                      "hash": {
-                        "properties": {
-                          "dhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "machine_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "packers": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "resources": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "filetype": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "language": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "rich_header": {
-                    "properties": {
-                      "hash": {
-                        "properties": {
-                          "md5": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "float"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw_size": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pgid": {
-                "type": "long"
-              },
-              "pid": {
-                "type": "long"
-              },
-              "ppid": {
-                "type": "long"
-              },
-              "start": {
-                "type": "date"
-              },
-              "thread": {
-                "properties": {
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "thread": {
-            "properties": {
-              "id": {
-                "type": "long"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "title": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "uptime": {
-            "type": "long"
-          },
-          "working_directory": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
-      "registry": {
-        "properties": {
-          "data": {
-            "properties": {
-              "bytes": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "strings": {
-                "type": "wildcard"
+              "strings": {
+                "type": "wildcard"
               },
               "type": {
                 "ignore_above": 1024,
@@ -4370,94 +3694,182 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "email": {
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "service": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "environment": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ephemeral_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "node": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "origin": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "environment": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ephemeral_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "node": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "state": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "state": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "target": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "environment": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ephemeral_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
+              "name": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "group": {
+              "node": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
+              "state": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
+              "type": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "roles": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          }
-        }
-      },
-      "service": {
-        "properties": {
-          "address": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "environment": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "ephemeral_id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "name": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "node": {
-            "properties": {
-              "name": {
+              "version": {
                 "ignore_above": 1024,
                 "type": "keyword"
               }
             }
           },
-          "state": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
           "type": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -4893,6 +4305,30 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "hash": {
+                        "properties": {
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha1": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha512": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "ssdeep": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
                       "inode": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -4925,6 +4361,174 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "pe": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "authentihash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "company": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "compile_timestamp": {
+                            "type": "date"
+                          },
+                          "compiler": {
+                            "properties": {
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "creation_date": {
+                            "type": "date"
+                          },
+                          "debug": {
+                            "properties": {
+                              "offset": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "size": {
+                                "type": "long"
+                              },
+                              "timestamp": {
+                                "type": "date"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "description": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entry_point": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "exports": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "file_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "icon": {
+                            "properties": {
+                              "hash": {
+                                "properties": {
+                                  "dhash": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "imphash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "machine_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "original_file_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "packers": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "product": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "resources": {
+                            "properties": {
+                              "chi2": {
+                                "type": "long"
+                              },
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "filetype": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "language": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sha256": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "rich_header": {
+                            "properties": {
+                              "hash": {
+                                "properties": {
+                                  "md5": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "sections": {
+                            "properties": {
+                              "chi2": {
+                                "type": "long"
+                              },
+                              "entropy": {
+                                "type": "float"
+                              },
+                              "flags": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw_size": {
+                                "type": "long"
+                              },
+                              "virtual_address": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          }
+                        }
+                      },
                       "size": {
                         "type": "long"
                       },
@@ -4933,17 +4537,123 @@
                           "text": {
                             "type": "match_only_text"
                           }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "uid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "uid": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "x509": {
+                        "properties": {
+                          "alternative_names": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "issuer": {
+                            "properties": {
+                              "common_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "distinguished_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "locality": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organization": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organizational_unit": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "state_or_province": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "not_after": {
+                            "type": "date"
+                          },
+                          "not_before": {
+                            "type": "date"
+                          },
+                          "public_key_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "public_key_curve": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "public_key_exponent": {
+                            "doc_values": false,
+                            "index": false,
+                            "type": "long"
+                          },
+                          "public_key_size": {
+                            "type": "long"
+                          },
+                          "serial_number": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "signature_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject": {
+                            "properties": {
+                              "common_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "distinguished_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "locality": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organization": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organizational_unit": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "state_or_province": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "version_number": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
                       }
                     }
                   },
@@ -4997,30 +4707,6 @@
                       }
                     }
                   },
-                  "hash": {
-                    "properties": {
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
                   "ip": {
                     "type": "ip"
                   },
@@ -5038,174 +4724,6 @@
                   "modified_at": {
                     "type": "date"
                   },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "authentihash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "compile_timestamp": {
-                        "type": "date"
-                      },
-                      "compiler": {
-                        "properties": {
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "debug": {
-                        "properties": {
-                          "offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "size": {
-                            "type": "long"
-                          },
-                          "timestamp": {
-                            "type": "date"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entry_point": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exports": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "icon": {
-                        "properties": {
-                          "hash": {
-                            "properties": {
-                              "dhash": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "machine_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "packers": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "resources": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "filetype": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "language": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha256": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "rich_header": {
-                        "properties": {
-                          "hash": {
-                            "properties": {
-                              "md5": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "float"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw_size": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
                   "port": {
                     "type": "long"
                   },
@@ -5455,6 +4973,9 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "occurred": {
+                    "type": "date"
+                  },
                   "type": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -5722,6 +5243,30 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "hash": {
+                    "properties": {
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "inode": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -5754,6 +5299,174 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "authentihash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "compile_timestamp": {
+                        "type": "date"
+                      },
+                      "compiler": {
+                        "properties": {
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "creation_date": {
+                        "type": "date"
+                      },
+                      "debug": {
+                        "properties": {
+                          "offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "size": {
+                            "type": "long"
+                          },
+                          "timestamp": {
+                            "type": "date"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entry_point": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exports": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "icon": {
+                        "properties": {
+                          "hash": {
+                            "properties": {
+                              "dhash": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "machine_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "packers": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "resources": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "filetype": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "language": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "rich_header": {
+                        "properties": {
+                          "hash": {
+                            "properties": {
+                              "md5": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "float"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw_size": {
+                            "type": "long"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      }
+                    }
+                  },
                   "size": {
                     "type": "long"
                   },
@@ -5762,17 +5475,123 @@
                       "text": {
                         "type": "match_only_text"
                       }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "uid": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "uid": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "x509": {
+                    "properties": {
+                      "alternative_names": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "issuer": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "not_after": {
+                        "type": "date"
+                      },
+                      "not_before": {
+                        "type": "date"
+                      },
+                      "public_key_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_curve": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_exponent": {
+                        "doc_values": false,
+                        "index": false,
+                        "type": "long"
+                      },
+                      "public_key_size": {
+                        "type": "long"
+                      },
+                      "serial_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signature_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "version_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
                   }
                 }
               },
@@ -5826,30 +5645,6 @@
                   }
                 }
               },
-              "hash": {
-                "properties": {
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "ip": {
                 "type": "ip"
               },
@@ -5867,174 +5662,6 @@
               "modified_at": {
                 "type": "date"
               },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "authentihash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "compile_timestamp": {
-                    "type": "date"
-                  },
-                  "compiler": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "debug": {
-                    "properties": {
-                      "offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "size": {
-                        "type": "long"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entry_point": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exports": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "icon": {
-                    "properties": {
-                      "hash": {
-                        "properties": {
-                          "dhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "machine_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "packers": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "resources": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "filetype": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "language": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "rich_header": {
-                    "properties": {
-                      "hash": {
-                        "properties": {
-                          "md5": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "float"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw_size": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
               "port": {
                 "type": "long"
               },
@@ -7159,4 +6786,4 @@
       "refresh_interval": "5s"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/agent.json b/experimental/generated/elasticsearch/component/agent.json
index 0464d12e85..86568b8348 100644
--- a/experimental/generated/elasticsearch/component/agent.json
+++ b/experimental/generated/elasticsearch/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -41,4 +41,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/base.json b/experimental/generated/elasticsearch/component/base.json
index c626d9e67c..7bc9b5fb54 100644
--- a/experimental/generated/elasticsearch/component/base.json
+++ b/experimental/generated/elasticsearch/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -22,4 +22,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/cgroup.json b/experimental/generated/elasticsearch/component/cgroup.json
new file mode 100644
index 0000000000..d791edf4e8
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/cgroup.json
@@ -0,0 +1,54 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html",
+    "ecs_version": "8.1.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "cgroup": {
+          "properties": {
+            "cpu": {
+              "properties": {
+                "periods": {
+                  "type": "long"
+                },
+                "throttled": {
+                  "properties": {
+                    "us": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "usage": {
+                  "scaling_factor": 1000,
+                  "type": "scaled_float"
+                }
+              }
+            },
+            "memory": {
+              "properties": {
+                "limit": {
+                  "type": "long"
+                },
+                "swap": {
+                  "properties": {
+                    "usage": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "usage": {
+                  "type": "long"
+                }
+              }
+            },
+            "version": {
+              "type": "long"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json
index e01f8e110c..df8bcbac49 100644
--- a/experimental/generated/elasticsearch/component/client.json
+++ b/experimental/generated/elasticsearch/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json
index 91838f3660..7646001636 100644
--- a/experimental/generated/elasticsearch/component/cloud.json
+++ b/experimental/generated/elasticsearch/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -44,6 +44,74 @@
                 }
               }
             },
+            "origin": {
+              "properties": {
+                "account": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "availability_zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "instance": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "machine": {
+                  "properties": {
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "project": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "service": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
             "project": {
               "properties": {
                 "id": {
@@ -71,10 +139,78 @@
                   "type": "keyword"
                 }
               }
+            },
+            "target": {
+              "properties": {
+                "account": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "availability_zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "instance": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "machine": {
+                  "properties": {
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "project": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "service": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
             }
           }
         }
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/container.json b/experimental/generated/elasticsearch/component/container.json
index 323ab6427e..a04ed79391 100644
--- a/experimental/generated/elasticsearch/component/container.json
+++ b/experimental/generated/elasticsearch/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -92,4 +92,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/data_stream.json b/experimental/generated/elasticsearch/component/data_stream.json
index be14775444..01be5e17b7 100644
--- a/experimental/generated/elasticsearch/component/data_stream.json
+++ b/experimental/generated/elasticsearch/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -22,4 +22,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json
index 43176b8208..e8c291bb56 100644
--- a/experimental/generated/elasticsearch/component/destination.json
+++ b/experimental/generated/elasticsearch/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json
index b5e39d4ed0..7c3a3da55f 100644
--- a/experimental/generated/elasticsearch/component/dll.json
+++ b/experimental/generated/elasticsearch/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -249,4 +249,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/dns.json b/experimental/generated/elasticsearch/component/dns.json
index 84ced3eb8d..fbdd009ddf 100644
--- a/experimental/generated/elasticsearch/component/dns.json
+++ b/experimental/generated/elasticsearch/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -88,4 +88,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/ecs.json b/experimental/generated/elasticsearch/component/ecs.json
index 2c705dda72..9d0817e902 100644
--- a/experimental/generated/elasticsearch/component/ecs.json
+++ b/experimental/generated/elasticsearch/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -17,4 +17,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/email.json b/experimental/generated/elasticsearch/component/email.json
index 2b73c26604..aac03edbf3 100644
--- a/experimental/generated/elasticsearch/component/email.json
+++ b/experimental/generated/elasticsearch/component/email.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -108,4 +108,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/error.json b/experimental/generated/elasticsearch/component/error.json
index 8d431bfea6..12de057adb 100644
--- a/experimental/generated/elasticsearch/component/error.json
+++ b/experimental/generated/elasticsearch/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -36,4 +36,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/event.json b/experimental/generated/elasticsearch/component/event.json
index 7298ae223c..6fc282df99 100644
--- a/experimental/generated/elasticsearch/component/event.json
+++ b/experimental/generated/elasticsearch/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -109,4 +109,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/faas.json b/experimental/generated/elasticsearch/component/faas.json
new file mode 100644
index 0000000000..426c14805c
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/faas.json
@@ -0,0 +1,36 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
+    "ecs_version": "8.1.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "faas": {
+          "properties": {
+            "coldstart": {
+              "type": "boolean"
+            },
+            "execution": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "trigger": {
+              "properties": {
+                "request_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "nested"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
index e8892a781c..7feb3cd0fa 100644
--- a/experimental/generated/elasticsearch/component/file.json
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -557,4 +557,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/group.json b/experimental/generated/elasticsearch/component/group.json
index 08c287dbc1..290fbe65d1 100644
--- a/experimental/generated/elasticsearch/component/group.json
+++ b/experimental/generated/elasticsearch/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -25,4 +25,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json
index 2ec145e1a0..e6833b4452 100644
--- a/experimental/generated/elasticsearch/component/host.json
+++ b/experimental/generated/elasticsearch/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -186,4 +186,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json
index 14b10aca45..7f2b589d6f 100644
--- a/experimental/generated/elasticsearch/component/http.json
+++ b/experimental/generated/elasticsearch/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -84,4 +84,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/log.json b/experimental/generated/elasticsearch/component/log.json
index c6606488ef..a7a41bfaf2 100644
--- a/experimental/generated/elasticsearch/component/log.json
+++ b/experimental/generated/elasticsearch/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -78,4 +78,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/network.json b/experimental/generated/elasticsearch/component/network.json
index ddf8d0eb30..0609af27e6 100644
--- a/experimental/generated/elasticsearch/component/network.json
+++ b/experimental/generated/elasticsearch/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -83,4 +83,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json
index 8708315ffa..cd4ad68dd6 100644
--- a/experimental/generated/elasticsearch/component/observer.json
+++ b/experimental/generated/elasticsearch/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -211,4 +211,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/orchestrator.json b/experimental/generated/elasticsearch/component/orchestrator.json
index 1f4a308634..600e56c8c6 100644
--- a/experimental/generated/elasticsearch/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -57,4 +57,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/organization.json b/experimental/generated/elasticsearch/component/organization.json
index 3dca4112e0..01b80067ec 100644
--- a/experimental/generated/elasticsearch/component/organization.json
+++ b/experimental/generated/elasticsearch/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -26,4 +26,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/package.json b/experimental/generated/elasticsearch/component/package.json
index 4aaf4b24f8..9a97e89b29 100644
--- a/experimental/generated/elasticsearch/component/package.json
+++ b/experimental/generated/elasticsearch/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -63,4 +63,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
index 9b727391e5..6276877546 100644
--- a/experimental/generated/elasticsearch/component/process.json
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -624,9 +624,6 @@
                 "pid": {
                   "type": "long"
                 },
-                "ppid": {
-                  "type": "long"
-                },
                 "start": {
                   "type": "date"
                 },
@@ -838,884 +835,9 @@
             "pid": {
               "type": "long"
             },
-            "ppid": {
-              "type": "long"
-            },
             "start": {
               "type": "date"
             },
-            "target": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "hash": {
-                  "properties": {
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "parent": {
-                  "properties": {
-                    "args": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "args_count": {
-                      "type": "long"
-                    },
-                    "code_signature": {
-                      "properties": {
-                        "digest_algorithm": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exists": {
-                          "type": "boolean"
-                        },
-                        "signing_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "status": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subject_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "team_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "trusted": {
-                          "type": "boolean"
-                        },
-                        "valid": {
-                          "type": "boolean"
-                        }
-                      }
-                    },
-                    "command_line": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "type": "wildcard"
-                    },
-                    "elf": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "byte_order": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "cpu_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "exports": {
-                          "type": "flattened"
-                        },
-                        "header": {
-                          "properties": {
-                            "abi_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "class": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "data": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entrypoint": {
-                              "type": "long"
-                            },
-                            "object_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "os_abi": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "segments": {
-                          "properties": {
-                            "sections": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "shared_libraries": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "telfhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "end": {
-                      "type": "date"
-                    },
-                    "entity_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "executable": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exit_code": {
-                      "type": "long"
-                    },
-                    "hash": {
-                      "properties": {
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "authentihash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "compile_timestamp": {
-                          "type": "date"
-                        },
-                        "compiler": {
-                          "properties": {
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "debug": {
-                          "properties": {
-                            "offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "size": {
-                              "type": "long"
-                            },
-                            "timestamp": {
-                              "type": "date"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entry_point": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exports": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "icon": {
-                          "properties": {
-                            "hash": {
-                              "properties": {
-                                "dhash": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "machine_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "packers": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "resources": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "filetype": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "language": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha256": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "rich_header": {
-                          "properties": {
-                            "hash": {
-                              "properties": {
-                                "md5": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "float"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw_size": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        }
-                      }
-                    },
-                    "pgid": {
-                      "type": "long"
-                    },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "ppid": {
-                      "type": "long"
-                    },
-                    "start": {
-                      "type": "date"
-                    },
-                    "thread": {
-                      "properties": {
-                        "id": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "title": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "uptime": {
-                      "type": "long"
-                    },
-                    "working_directory": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "authentihash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "compile_timestamp": {
-                      "type": "date"
-                    },
-                    "compiler": {
-                      "properties": {
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "debug": {
-                      "properties": {
-                        "offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "size": {
-                          "type": "long"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entry_point": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exports": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "icon": {
-                      "properties": {
-                        "hash": {
-                          "properties": {
-                            "dhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        }
-                      }
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "machine_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "packers": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "resources": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "filetype": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "language": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "rich_header": {
-                      "properties": {
-                        "hash": {
-                          "properties": {
-                            "md5": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        }
-                      }
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "float"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw_size": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pgid": {
-                  "type": "long"
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "ppid": {
-                  "type": "long"
-                },
-                "start": {
-                  "type": "date"
-                },
-                "thread": {
-                  "properties": {
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
             "thread": {
               "properties": {
                 "id": {
@@ -1753,4 +875,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/registry.json b/experimental/generated/elasticsearch/component/registry.json
index dd6999e30f..6b2c5d195a 100644
--- a/experimental/generated/elasticsearch/component/registry.json
+++ b/experimental/generated/elasticsearch/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -44,4 +44,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/related.json b/experimental/generated/elasticsearch/component/related.json
index f5b0064c70..3a9cfb7507 100644
--- a/experimental/generated/elasticsearch/component/related.json
+++ b/experimental/generated/elasticsearch/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -28,4 +28,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/rule.json b/experimental/generated/elasticsearch/component/rule.json
index 7825707887..8c170a89dc 100644
--- a/experimental/generated/elasticsearch/component/rule.json
+++ b/experimental/generated/elasticsearch/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -53,4 +53,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json
index a68eb5de14..3ed7b67afe 100644
--- a/experimental/generated/elasticsearch/component/server.json
+++ b/experimental/generated/elasticsearch/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/service.json b/experimental/generated/elasticsearch/component/service.json
index bfa8e2914b..49dea3b91e 100644
--- a/experimental/generated/elasticsearch/component/service.json
+++ b/experimental/generated/elasticsearch/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -36,10 +36,98 @@
                 }
               }
             },
+            "origin": {
+              "properties": {
+                "address": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "environment": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ephemeral_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "node": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "state": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "state": {
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "target": {
+              "properties": {
+                "address": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "environment": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ephemeral_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "node": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "state": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "type": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -53,4 +141,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json
index 888ecb6142..c66670e8d2 100644
--- a/experimental/generated/elasticsearch/component/source.json
+++ b/experimental/generated/elasticsearch/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json
index 234b89c879..bc31872b24 100644
--- a/experimental/generated/elasticsearch/component/threat.json
+++ b/experimental/generated/elasticsearch/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -244,6 +244,30 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "hash": {
+                          "properties": {
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha1": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha512": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "ssdeep": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
                         "inode": {
                           "ignore_above": 1024,
                           "type": "keyword"
@@ -276,6 +300,174 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "pe": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "authentihash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "company": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "compile_timestamp": {
+                              "type": "date"
+                            },
+                            "compiler": {
+                              "properties": {
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "creation_date": {
+                              "type": "date"
+                            },
+                            "debug": {
+                              "properties": {
+                                "offset": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "size": {
+                                  "type": "long"
+                                },
+                                "timestamp": {
+                                  "type": "date"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "description": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entry_point": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "exports": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "file_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "icon": {
+                              "properties": {
+                                "hash": {
+                                  "properties": {
+                                    "dhash": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "imphash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "machine_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "original_file_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "packers": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "product": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "resources": {
+                              "properties": {
+                                "chi2": {
+                                  "type": "long"
+                                },
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "filetype": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "language": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sha256": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "rich_header": {
+                              "properties": {
+                                "hash": {
+                                  "properties": {
+                                    "md5": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "sections": {
+                              "properties": {
+                                "chi2": {
+                                  "type": "long"
+                                },
+                                "entropy": {
+                                  "type": "float"
+                                },
+                                "flags": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw_size": {
+                                  "type": "long"
+                                },
+                                "virtual_address": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            }
+                          }
+                        },
                         "size": {
                           "type": "long"
                         },
@@ -295,6 +487,112 @@
                         "uid": {
                           "ignore_above": 1024,
                           "type": "keyword"
+                        },
+                        "x509": {
+                          "properties": {
+                            "alternative_names": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "issuer": {
+                              "properties": {
+                                "common_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "distinguished_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "locality": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organization": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organizational_unit": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "state_or_province": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "not_after": {
+                              "type": "date"
+                            },
+                            "not_before": {
+                              "type": "date"
+                            },
+                            "public_key_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "public_key_curve": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "public_key_exponent": {
+                              "doc_values": false,
+                              "index": false,
+                              "type": "long"
+                            },
+                            "public_key_size": {
+                              "type": "long"
+                            },
+                            "serial_number": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "signature_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subject": {
+                              "properties": {
+                                "common_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "distinguished_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "locality": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organization": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organizational_unit": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "state_or_province": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "version_number": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         }
                       }
                     },
@@ -348,30 +646,6 @@
                         }
                       }
                     },
-                    "hash": {
-                      "properties": {
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
                     "ip": {
                       "type": "ip"
                     },
@@ -389,174 +663,6 @@
                     "modified_at": {
                       "type": "date"
                     },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "authentihash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "compile_timestamp": {
-                          "type": "date"
-                        },
-                        "compiler": {
-                          "properties": {
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "debug": {
-                          "properties": {
-                            "offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "size": {
-                              "type": "long"
-                            },
-                            "timestamp": {
-                              "type": "date"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entry_point": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exports": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "icon": {
-                          "properties": {
-                            "hash": {
-                              "properties": {
-                                "dhash": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "machine_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "packers": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "resources": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "filetype": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "language": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha256": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "rich_header": {
-                          "properties": {
-                            "hash": {
-                              "properties": {
-                                "md5": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "float"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw_size": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        }
-                      }
-                    },
                     "port": {
                       "type": "long"
                     },
@@ -806,6 +912,9 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "occurred": {
+                      "type": "date"
+                    },
                     "type": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1073,6 +1182,30 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "hash": {
+                      "properties": {
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "inode": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1105,287 +1238,369 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "size": {
-                      "type": "long"
-                    },
-                    "target_path": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "uid": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "first_seen": {
-                  "type": "date"
-                },
-                "geo": {
-                  "properties": {
-                    "city_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "continent_code": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "continent_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "country_iso_code": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "country_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "location": {
-                      "type": "geo_point"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "postal_code": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "region_iso_code": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "region_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "timezone": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "ip": {
-                  "type": "ip"
-                },
-                "last_seen": {
-                  "type": "date"
-                },
-                "marking": {
-                  "properties": {
-                    "tlp": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "modified_at": {
-                  "type": "date"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "authentihash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "compile_timestamp": {
-                      "type": "date"
-                    },
-                    "compiler": {
+                    "pe": {
                       "properties": {
-                        "name": {
+                        "architecture": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "version": {
+                        "authentihash": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        }
-                      }
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "debug": {
-                      "properties": {
-                        "offset": {
+                        },
+                        "company": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "size": {
-                          "type": "long"
+                        "compile_timestamp": {
+                          "type": "date"
                         },
-                        "timestamp": {
+                        "compiler": {
+                          "properties": {
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "creation_date": {
                           "type": "date"
                         },
-                        "type": {
+                        "debug": {
+                          "properties": {
+                            "offset": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "size": {
+                              "type": "long"
+                            },
+                            "timestamp": {
+                              "type": "date"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "description": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entry_point": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exports": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "icon": {
-                      "properties": {
-                        "hash": {
+                        },
+                        "entry_point": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exports": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "icon": {
+                          "properties": {
+                            "hash": {
+                              "properties": {
+                                "dhash": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "machine_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "packers": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "resources": {
                           "properties": {
-                            "dhash": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "filetype": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "language": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
                               "ignore_above": 1024,
                               "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "rich_header": {
+                          "properties": {
+                            "hash": {
+                              "properties": {
+                                "md5": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
                             }
                           }
+                        },
+                        "sections": {
+                          "properties": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "float"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw_size": {
+                              "type": "long"
+                            },
+                            "virtual_address": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
                         }
                       }
                     },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "machine_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "size": {
+                      "type": "long"
                     },
-                    "original_file_name": {
+                    "target_path": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "packers": {
+                    "type": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "product": {
+                    "uid": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "resources": {
+                    "x509": {
                       "properties": {
-                        "chi2": {
-                          "type": "long"
+                        "alternative_names": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "entropy": {
-                          "type": "long"
+                        "issuer": {
+                          "properties": {
+                            "common_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "distinguished_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "locality": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organization": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organizational_unit": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "state_or_province": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         },
-                        "filetype": {
+                        "not_after": {
+                          "type": "date"
+                        },
+                        "not_before": {
+                          "type": "date"
+                        },
+                        "public_key_algorithm": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "language": {
+                        "public_key_curve": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "sha256": {
+                        "public_key_exponent": {
+                          "doc_values": false,
+                          "index": false,
+                          "type": "long"
+                        },
+                        "public_key_size": {
+                          "type": "long"
+                        },
+                        "serial_number": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "type": {
+                        "signature_algorithm": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "rich_header": {
-                      "properties": {
-                        "hash": {
+                        },
+                        "subject": {
                           "properties": {
-                            "md5": {
+                            "common_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "distinguished_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "locality": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organization": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organizational_unit": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "state_or_province": {
                               "ignore_above": 1024,
                               "type": "keyword"
                             }
                           }
-                        }
-                      }
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "float"
                         },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
+                        "version_number": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        },
-                        "raw_size": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
                         }
-                      },
-                      "type": "nested"
+                      }
+                    }
+                  }
+                },
+                "first_seen": {
+                  "type": "date"
+                },
+                "geo": {
+                  "properties": {
+                    "city_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "continent_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "continent_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country_iso_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "location": {
+                      "type": "geo_point"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "postal_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "region_iso_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "region_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "timezone": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "ip": {
+                  "type": "ip"
+                },
+                "last_seen": {
+                  "type": "date"
+                },
+                "marking": {
+                  "properties": {
+                    "tlp": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
+                "modified_at": {
+                  "type": "date"
+                },
                 "port": {
                   "type": "long"
                 },
@@ -1707,4 +1922,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/tls.json b/experimental/generated/elasticsearch/component/tls.json
index 9ec0273d8b..8c45601618 100644
--- a/experimental/generated/elasticsearch/component/tls.json
+++ b/experimental/generated/elasticsearch/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -351,4 +351,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/tracing.json b/experimental/generated/elasticsearch/component/tracing.json
index cfdec7fa58..e0f60510e4 100644
--- a/experimental/generated/elasticsearch/component/tracing.json
+++ b/experimental/generated/elasticsearch/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -33,4 +33,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/url.json b/experimental/generated/elasticsearch/component/url.json
index d022575ab7..fd15301ea4 100644
--- a/experimental/generated/elasticsearch/component/url.json
+++ b/experimental/generated/elasticsearch/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -75,4 +75,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/user.json b/experimental/generated/elasticsearch/component/user.json
index 23e0bf87b7..cd63c06d6d 100644
--- a/experimental/generated/elasticsearch/component/user.json
+++ b/experimental/generated/elasticsearch/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -241,4 +241,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/user_agent.json b/experimental/generated/elasticsearch/component/user_agent.json
index f502087ad3..34a4b977e4 100644
--- a/experimental/generated/elasticsearch/component/user_agent.json
+++ b/experimental/generated/elasticsearch/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -80,4 +80,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/component/vulnerability.json b/experimental/generated/elasticsearch/component/vulnerability.json
index f45106947a..a6e1eab029 100644
--- a/experimental/generated/elasticsearch/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "template": {
     "mappings": {
@@ -75,4 +75,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json
index 4822e863e0..d7ac0f8e66 100644
--- a/experimental/generated/elasticsearch/template.json
+++ b/experimental/generated/elasticsearch/template.json
@@ -1,46 +1,48 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.0.0-dev+exp"
+    "ecs_version": "8.1.0-dev+exp"
   },
   "composed_of": [
-    "ecs_8.0.0-dev-exp_agent",
-    "ecs_8.0.0-dev-exp_base",
-    "ecs_8.0.0-dev-exp_client",
-    "ecs_8.0.0-dev-exp_cloud",
-    "ecs_8.0.0-dev-exp_container",
-    "ecs_8.0.0-dev-exp_data_stream",
-    "ecs_8.0.0-dev-exp_destination",
-    "ecs_8.0.0-dev-exp_dll",
-    "ecs_8.0.0-dev-exp_dns",
-    "ecs_8.0.0-dev-exp_ecs",
-    "ecs_8.0.0-dev-exp_error",
-    "ecs_8.0.0-dev-exp_event",
-    "ecs_8.0.0-dev-exp_file",
-    "ecs_8.0.0-dev-exp_group",
-    "ecs_8.0.0-dev-exp_host",
-    "ecs_8.0.0-dev-exp_http",
-    "ecs_8.0.0-dev-exp_log",
-    "ecs_8.0.0-dev-exp_network",
-    "ecs_8.0.0-dev-exp_observer",
-    "ecs_8.0.0-dev-exp_orchestrator",
-    "ecs_8.0.0-dev-exp_organization",
-    "ecs_8.0.0-dev-exp_package",
-    "ecs_8.0.0-dev-exp_process",
-    "ecs_8.0.0-dev-exp_registry",
-    "ecs_8.0.0-dev-exp_related",
-    "ecs_8.0.0-dev-exp_rule",
-    "ecs_8.0.0-dev-exp_server",
-    "ecs_8.0.0-dev-exp_service",
-    "ecs_8.0.0-dev-exp_source",
-    "ecs_8.0.0-dev-exp_threat",
-    "ecs_8.0.0-dev-exp_tls",
-    "ecs_8.0.0-dev-exp_tracing",
-    "ecs_8.0.0-dev-exp_url",
-    "ecs_8.0.0-dev-exp_user",
-    "ecs_8.0.0-dev-exp_user_agent",
-    "ecs_8.0.0-dev-exp_vulnerability",
-    "ecs_8.0.0-dev-exp_email"
+    "ecs_8.1.0-dev-exp_agent",
+    "ecs_8.1.0-dev-exp_base",
+    "ecs_8.1.0-dev-exp_client",
+    "ecs_8.1.0-dev-exp_cloud",
+    "ecs_8.1.0-dev-exp_container",
+    "ecs_8.1.0-dev-exp_data_stream",
+    "ecs_8.1.0-dev-exp_destination",
+    "ecs_8.1.0-dev-exp_dll",
+    "ecs_8.1.0-dev-exp_dns",
+    "ecs_8.1.0-dev-exp_ecs",
+    "ecs_8.1.0-dev-exp_error",
+    "ecs_8.1.0-dev-exp_event",
+    "ecs_8.1.0-dev-exp_faas",
+    "ecs_8.1.0-dev-exp_file",
+    "ecs_8.1.0-dev-exp_group",
+    "ecs_8.1.0-dev-exp_host",
+    "ecs_8.1.0-dev-exp_http",
+    "ecs_8.1.0-dev-exp_log",
+    "ecs_8.1.0-dev-exp_network",
+    "ecs_8.1.0-dev-exp_observer",
+    "ecs_8.1.0-dev-exp_orchestrator",
+    "ecs_8.1.0-dev-exp_organization",
+    "ecs_8.1.0-dev-exp_package",
+    "ecs_8.1.0-dev-exp_process",
+    "ecs_8.1.0-dev-exp_registry",
+    "ecs_8.1.0-dev-exp_related",
+    "ecs_8.1.0-dev-exp_rule",
+    "ecs_8.1.0-dev-exp_server",
+    "ecs_8.1.0-dev-exp_service",
+    "ecs_8.1.0-dev-exp_source",
+    "ecs_8.1.0-dev-exp_threat",
+    "ecs_8.1.0-dev-exp_tls",
+    "ecs_8.1.0-dev-exp_tracing",
+    "ecs_8.1.0-dev-exp_url",
+    "ecs_8.1.0-dev-exp_user",
+    "ecs_8.1.0-dev-exp_user_agent",
+    "ecs_8.1.0-dev-exp_vulnerability",
+    "ecs_8.1.0-dev-exp_cgroup",
+    "ecs_8.1.0-dev-exp_email"
   ],
   "index_patterns": [
     "try-ecs-*"
@@ -71,4 +73,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/experimental/schemas/cgroup.yml b/experimental/schemas/cgroup.yml
new file mode 100644
index 0000000000..a58f71683e
--- /dev/null
+++ b/experimental/schemas/cgroup.yml
@@ -0,0 +1,52 @@
+---
+- name: cgroup
+  title: Common cgroup metrics
+  group: 2
+  short: fields common to cgroups V1 and V2
+  description: >
+    Fields related to control group (cgroup) metrics. Due to controller changes
+    between V1 and V2, many same or similar metrics will often appear under
+    different controller names. These fields are common to both cgroup versions.
+  type: group
+  fields:
+    - name: version
+      level: extended
+      type: long
+      description: >
+        The cgroup version linked to the metrics
+    - name: cpu.periods
+      level: extended
+      type: long
+      example: 454839343
+      description: >
+        Number of period intervals that have elapsed.
+    - name: cpu.throttled.us
+      level: extended
+      type: long
+      example: 15000
+      description: >
+        Microseconds of CPU throttled time.
+    - name: cpu.usage
+      level: extended
+      type: scaled_float
+      scaling_factor: 1000
+      description: >
+        CPU usage, normalized by the CPU count.
+    - name: memory.usage
+      level: extended
+      type: long
+      example: 25600
+      description: >
+        Memory usage in bytes
+    - name: memory.limit
+      level: extended
+      type: long
+      example: 256
+      description: >
+        Memory limit within the cgroup.
+    - name: memory.swap.usage
+      level: extended
+      type: long
+      example: 5600
+      description: >
+        The amount of cgroup memory in swap.
diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml
deleted file mode 100644
index f911fe9c8b..0000000000
--- a/experimental/schemas/process.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: process
-  reusable:
-    expected:
-      - at: process
-        as: target
-      - at: process.target
-        as: parent
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index ec80bc8ea3..fb6b8498ec 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 8.0.0-dev.
+# based on ECS version 8.1.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
@@ -63,6 +63,7 @@
       not change if data is sent through queuing systems like Kafka, Redis, or processing
       systems such as Logstash or APM Server.'
     type: group
+    default_field: true
     fields:
     - name: build.original
       level: core
@@ -127,6 +128,7 @@
       behalf of a single administrative entity or domain that presents a common, clearly
       defined routing policy to the internet.
     type: group
+    default_field: true
     fields:
     - name: number
       level: extended
@@ -163,6 +165,7 @@
       in that category, you should still ensure that source and destination are filled
       appropriately.'
     type: group
+    default_field: true
     fields:
     - name: address
       level: extended
@@ -436,8 +439,19 @@
       from its host, the cloud info contains the data about this machine. If Metricbeat
       runs on a remote machine outside the cloud and fetches data from a service running
       in the cloud, the field contains cloud data from the machine the service is
-      running on.'
+      running on.
+
+      The cloud fields may be self-nested under cloud.origin.* and cloud.target.*  to
+      describe origin or target service''s cloud information in the context of  incoming
+      or outgoing requests, respectively. However, the fieldsets  cloud.origin.* and
+      cloud.target.* must not be confused with the root cloud  fieldset that is used
+      to describe the cloud context of the actual service  under observation. The
+      fieldset cloud.origin.* may only be used in the  context of incoming requests
+      or events to provide the originating service''s  cloud information. The fieldset
+      cloud.target.* may only be used in the  context of outgoing requests or events
+      to describe the target service''s  cloud information.'
     type: group
+    default_field: true
     fields:
     - name: account.id
       level: extended
@@ -481,6 +495,97 @@
       ignore_above: 1024
       description: Machine type of the host machine.
       example: t2.medium
+    - name: origin.account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      default_field: false
+    - name: origin.account.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      default_field: false
+    - name: origin.availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      default_field: false
+    - name: origin.instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      default_field: false
+    - name: origin.instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+      default_field: false
+    - name: origin.machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+      default_field: false
+    - name: origin.project.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      default_field: false
+    - name: origin.project.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      default_field: false
+    - name: origin.provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      default_field: false
+    - name: origin.region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      default_field: false
+    - name: origin.service.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      default_field: false
     - name: project.id
       level: extended
       type: keyword
@@ -523,11 +628,103 @@
         Examples: app engine, app service, cloud run, fargate, lambda.'
       example: lambda
       default_field: false
+    - name: target.account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      default_field: false
+    - name: target.account.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      default_field: false
+    - name: target.availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      default_field: false
+    - name: target.instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      default_field: false
+    - name: target.instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+      default_field: false
+    - name: target.machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+      default_field: false
+    - name: target.project.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      default_field: false
+    - name: target.project.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      default_field: false
+    - name: target.provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      default_field: false
+    - name: target.region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      default_field: false
+    - name: target.service.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      default_field: false
   - name: code_signature
     title: Code Signature
     group: 2
     description: These fields contain information about binary code signatures.
     type: group
+    default_field: true
     fields:
     - name: digest_algorithm
       level: extended
@@ -615,6 +812,7 @@
 
       These fields help correlate data based containers from any runtime.'
     type: group
+    default_field: true
     fields:
     - name: id
       level: core
@@ -665,6 +863,7 @@
       names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character),
       `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
     type: group
+    default_field: true
     fields:
     - name: dataset
       level: extended
@@ -712,6 +911,7 @@
       transaction. If the event also contains identification of the client and server
       roles, then the client and server fields should also be populated.'
     type: group
+    default_field: true
     fields:
     - name: address
       level: extended
@@ -991,6 +1191,7 @@
 
       * Dynamic library (`.dylib`) commonly used on macOS'
     type: group
+    default_field: true
     fields:
     - name: code_signature.digest_algorithm
       level: extended
@@ -1179,6 +1380,7 @@
       query details as well as all of the answers that were provided for this query
       (`dns.type:answer`).'
     type: group
+    default_field: true
     fields:
     - name: answers
       level: extended
@@ -1343,6 +1545,7 @@
     group: 2
     description: Meta-information specific to ECS.
     type: group
+    default_field: true
     fields:
     - name: version
       level: core
@@ -1361,6 +1564,7 @@
     group: 2
     description: These fields contain Linux Executable Linkable Format (ELF) metadata.
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: extended
@@ -1549,6 +1753,7 @@
       Use them for errors that happen while fetching events or in cases where the
       event itself contains an error.'
     type: group
+    default_field: true
     fields:
     - name: code
       level: core
@@ -1594,6 +1799,7 @@
       temperature. See the `event.kind` definition in this section for additional
       details about metric and state events.'
     type: group
+    default_field: true
     fields:
     - name: action
       level: core
@@ -1905,6 +2111,46 @@
         are a common use case for this field.'
       example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
       default_field: false
+  - name: faas
+    title: FaaS
+    group: 2
+    description: The user fields describe information about the function as a service
+      that is relevant to the event.
+    type: group
+    default_field: true
+    fields:
+    - name: coldstart
+      level: extended
+      type: boolean
+      description: Boolean value indicating a cold start of a function.
+      default_field: false
+    - name: execution
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The execution ID of the current function execution.
+      example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+      default_field: false
+    - name: trigger
+      level: extended
+      type: nested
+      description: Details about the function trigger.
+      default_field: false
+    - name: trigger.request_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The ID of the trigger request , message, event, etc.
+      example: 123456789
+      default_field: false
+    - name: trigger.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The trigger for the function execution.\nExpected values are:\n\
+        \  * http\n  * pubsub\n  * datasource\n  * timer\n  * other"
+      example: http
+      default_field: false
   - name: file
     title: File
     group: 2
@@ -1916,6 +2162,7 @@
       services). File fields provide details about the affected file associated with
       the event or metric.'
     type: group
+    default_field: true
     fields:
     - name: accessed
       level: extended
@@ -2603,6 +2850,7 @@
       This geolocation information can be derived from techniques such as Geo IP,
       or be user-supplied.'
     type: group
+    default_field: true
     fields:
     - name: city_name
       level: core
@@ -2687,6 +2935,7 @@
     description: The group fields are meant to represent groups that are relevant
       to the event.
     type: group
+    default_field: true
     fields:
     - name: domain
       level: extended
@@ -2719,6 +2968,7 @@
       a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
       placed in the fieldsets to which they relate (tls and pe, respectively).'
     type: group
+    default_field: true
     fields:
     - name: md5
       level: extended
@@ -2755,6 +3005,7 @@
       event happened, or from which the measurement was taken. Host types include
       hardware, virtual machines, Docker containers, and Kubernetes nodes.'
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: core
@@ -3017,6 +3268,7 @@
     description: Fields related to HTTP activity. Use the `url` field set to store
       the url of the request.
     type: group
+    default_field: true
     fields:
     - name: request.body.bytes
       level: extended
@@ -3131,6 +3383,7 @@
       a single observer interface (e.g. network sensor on a span port) only the observer.ingress
       information should be populated.
     type: group
+    default_field: true
     fields:
     - name: alias
       level: extended
@@ -3167,6 +3420,7 @@
       The details specific to your event source are typically not logged under `log.*`,
       but rather in `event.*` or in other ECS fields.'
     type: group
+    default_field: true
     fields:
     - name: file.path
       level: extended
@@ -3278,19 +3532,21 @@
       The network.* fields should be populated with details about the network activity
       associated with an event.'
     type: group
+    default_field: true
     fields:
     - name: application
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A name given to an application level protocol. This can be arbitrarily
-        assigned for things like microservices, but also apply to things like skype,
-        icq, facebook, twitter. This would be used in situations where the vendor
-        or service can be decoded such as from the source/dest IP owners, ports, or
-        wire format.
+      description: 'When a specific application or service is identified from network
+        connection details (source/dest IPs, ports, certificates, or wire format),
+        this field captures the application''s or service''s name.
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        For example, the original event identifies the network connection being from
+        a specific web service in a `https` network connection, like `facebook` or
+        `twitter`.
+
+        The field value must be normalized to lowercase for querying.'
       example: aim
     - name: bytes
       level: core
@@ -3382,10 +3638,10 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+      description: 'In the OSI Model this would be the Application Layer protocol.
+        For example, `http`, `dns`, or `ssh`.
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: http
     - name: transport
       level: core
@@ -3394,8 +3650,7 @@
       description: 'Same as network.iana_number, but instead using the Keyword name
         of the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: tcp
     - name: type
       level: core
@@ -3404,8 +3659,7 @@
       description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
         ipsec, pim, etc
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: ipv4
     - name: vlan.id
       level: extended
@@ -3437,6 +3691,7 @@
       or metric. Message queues and ETL components used in processing events or metrics
       are not considered observers in ECS.'
     type: group
+    default_field: true
     fields:
     - name: egress
       level: extended
@@ -3750,6 +4005,7 @@
     description: Fields that describe the resources which container orchestrators
       manage or act upon.
     type: group
+    default_field: true
     fields:
     - name: api_version
       level: extended
@@ -3821,6 +4077,7 @@
       These fields help you arrange or filter data stored in an index by one or multiple
       organizations.'
     type: group
+    default_field: true
     fields:
     - name: id
       level: extended
@@ -3841,6 +4098,7 @@
     group: 2
     description: The OS fields contain information about the operating system.
     type: group
+    default_field: true
     fields:
     - name: family
       level: extended
@@ -3908,6 +4166,7 @@
       It contains general information about a package, such as name, version or size.
       It also contains installation details, such as time or location.
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: extended
@@ -4004,6 +4263,7 @@
     group: 2
     description: These fields contain Windows Portable Executable (PE) metadata.
     type: group
+    default_field: true
     fields:
     - name: architecture
       level: extended
@@ -4067,6 +4327,7 @@
       from a log message.  The `process.pid` often stays in the metric itself and
       is copied to the global field for correlation.'
     type: group
+    default_field: true
     fields:
     - name: args
       level: extended
@@ -4871,13 +5132,6 @@
       description: Process id.
       example: 4242
       default_field: false
-    - name: parent.ppid
-      level: extended
-      type: long
-      format: string
-      description: Parent process' pid.
-      example: 4241
-      default_field: false
     - name: parent.start
       level: extended
       type: date
@@ -4990,12 +5244,6 @@
       format: string
       description: Process id.
       example: 4242
-    - name: ppid
-      level: extended
-      type: long
-      format: string
-      description: Parent process' pid.
-      example: 4241
     - name: start
       level: extended
       type: date
@@ -5045,6 +5293,7 @@
     group: 2
     description: Fields related to Windows Registry operations.
     type: group
+    default_field: true
     fields:
     - name: data.bytes
       level: extended
@@ -5120,6 +5369,7 @@
       to `related.ip`, you can then search for a given IP trivially, no matter where
       it appeared, by querying `related.ip:192.0.2.15`.'
     type: group
+    default_field: true
     fields:
     - name: hash
       level: extended
@@ -5157,6 +5407,7 @@
       application firewalls, url filters, endpoint detection and response (EDR) systems,
       etc.'
     type: group
+    default_field: true
     fields:
     - name: author
       level: extended
@@ -5259,6 +5510,7 @@
       in that category, you should still ensure that source and destination are filled
       appropriately.'
     type: group
+    default_field: true
     fields:
     - name: address
       level: extended
@@ -5530,7 +5782,16 @@
       was collected.
 
       These fields help you find and correlate logs for a specific service and version.'
+    footnote: The service fields may be self-nested under service.origin.* and service.target.*  to
+      describe origin or target services in the context of incoming or outgoing requests,  respectively.
+      However, the fieldsets service.origin.* and service.target.* must not be confused
+      with  the root service fieldset that is used to describe the actual service
+      under observation. The fieldset service.origin.* may only be used in the context
+      of incoming requests or  events to describe the originating service of the request.
+      The fieldset service.target.*  may only be used in the context of outgoing requests
+      or events to describe the target  service of the request.
     type: group
+    default_field: true
     fields:
     - name: address
       level: extended
@@ -5606,54 +5867,267 @@
         provide uniqueness (e.g. multiple instances of the service running on the
         same host) - the node name can be manually set.'
       example: instance-0000000016
-    - name: state
-      level: core
+    - name: origin.address
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Current state of the service.
-    - name: type
-      level: core
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      default_field: false
+    - name: origin.environment
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The type of the service data is collected from.
+      description: 'Identifies the environment where the service is running.
 
-        The type can be used to group and correlate logs and metrics from one service
-        type.
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      default_field: false
+    - name: origin.ephemeral_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Ephemeral identifier of this service (if one exists).
 
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
-    - name: version
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      default_field: false
+    - name: origin.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'Version of the service the data was collected from.
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
 
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
-  - name: source
-    title: Source
-    group: 2
-    description: 'Source fields capture details about the sender of a network exchange/packet.
-      These fields are populated from a network event, packet, or other event containing
-      details of a network transaction.
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
 
-      Source fields are usually populated in conjunction with destination fields.
-      The source and destination fields are considered the baseline and should always
-      be filled if an event contains source and destination details from a network
-      transaction. If the event also contains identification of the client and server
-      roles, then the client and server fields should also be populated.'
-    type: group
-    fields:
-    - name: address
-      level: extended
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      default_field: false
+    - name: origin.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
+      description: 'Name of the service data is collected from.
 
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      default_field: false
+    - name: origin.node.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      default_field: false
+    - name: origin.state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+      default_field: false
+    - name: origin.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      default_field: false
+    - name: origin.version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      default_field: false
+    - name: state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+    - name: target.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      default_field: false
+    - name: target.environment
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      default_field: false
+    - name: target.ephemeral_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      default_field: false
+    - name: target.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      default_field: false
+    - name: target.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      default_field: false
+    - name: target.node.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      default_field: false
+    - name: target.state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+      default_field: false
+    - name: target.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      default_field: false
+    - name: target.version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      default_field: false
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+    - name: version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+  - name: source
+    title: Source
+    group: 2
+    description: 'Source fields capture details about the sender of a network exchange/packet.
+      These fields are populated from a network event, packet, or other event containing
+      details of a network transaction.
+
+      Source fields are usually populated in conjunction with destination fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
+    type: group
+    default_field: true
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
         it is.'
     - name: as.number
       level: extended
@@ -5919,6 +6393,7 @@
       \ which kind of approach is used by this detected threat, to accomplish the\
       \ goal (e.g. \"endpoint denial of service\")."
     type: group
+    default_field: true
     fields:
     - name: enrichments
       level: extended
@@ -6331,6 +6806,36 @@
       description: Primary group name of the file.
       example: alice
       default_field: false
+    - name: enrichments.indicator.file.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: enrichments.indicator.file.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: enrichments.indicator.file.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: enrichments.indicator.file.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: enrichments.indicator.file.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: enrichments.indicator.file.inode
       level: extended
       type: keyword
@@ -6384,46 +6889,271 @@
         the drive letter, when appropriate.
       example: /home/alice/example.png
       default_field: false
-    - name: enrichments.indicator.file.size
-      level: extended
-      type: long
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
-      default_field: false
-    - name: enrichments.indicator.file.target_path
+    - name: enrichments.indicator.file.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: enrichments.indicator.file.type
+    - name: enrichments.indicator.file.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: enrichments.indicator.file.uid
+    - name: enrichments.indicator.file.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: enrichments.indicator.first_seen
+    - name: enrichments.indicator.file.pe.file_version
       level: extended
-      type: date
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: enrichments.indicator.geo.city_name
-      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: enrichments.indicator.file.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: enrichments.indicator.file.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: enrichments.indicator.file.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: enrichments.indicator.file.size
+      level: extended
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      default_field: false
+    - name: enrichments.indicator.file.target_path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
+      default_field: false
+    - name: enrichments.indicator.file.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
+      default_field: false
+    - name: enrichments.indicator.file.uid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      default_field: false
+    - name: enrichments.indicator.file.x509.alternative_names
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) codes
+      example: US
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.distinguished_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: enrichments.indicator.file.x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: enrichments.indicator.file.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: enrichments.indicator.file.x509.public_key_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Algorithm used to generate the public key.
+      example: RSA
+      default_field: false
+    - name: enrichments.indicator.file.x509.public_key_curve
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      default_field: false
+    - name: enrichments.indicator.file.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
+      default_field: false
+    - name: enrichments.indicator.file.x509.public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: enrichments.indicator.file.x509.serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      default_field: false
+    - name: enrichments.indicator.file.x509.signature_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      default_field: false
+    - name: enrichments.indicator.file.x509.subject.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      default_field: false
+    - name: enrichments.indicator.file.x509.subject.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) code
+      example: US
+      default_field: false
+    - name: enrichments.indicator.file.x509.subject.distinguished_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      default_field: false
+    - name: enrichments.indicator.file.x509.subject.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
+      default_field: false
+    - name: enrichments.indicator.file.x509.subject.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      default_field: false
+    - name: enrichments.indicator.file.x509.subject.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of subject.
+      default_field: false
+    - name: enrichments.indicator.file.x509.subject.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: enrichments.indicator.file.x509.version_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of x509 format.
+      example: 3
+      default_field: false
+    - name: enrichments.indicator.first_seen
+      level: extended
+      type: date
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
       description: City name.
@@ -6507,117 +7237,34 @@
       description: The time zone of the location, such as IANA time zone name.
       example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: enrichments.indicator.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: enrichments.indicator.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: enrichments.indicator.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: enrichments.indicator.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: enrichments.indicator.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
     - name: enrichments.indicator.ip
       level: extended
       type: ip
       description: Identifies a threat indicator as an IP address (irrespective of
         direction).
-      example: 1.2.3.4
-      default_field: false
-    - name: enrichments.indicator.last_seen
-      level: extended
-      type: date
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: enrichments.indicator.marking.tlp
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
-        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-      example: White
-      default_field: false
-    - name: enrichments.indicator.modified_at
-      level: extended
-      type: date
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: enrichments.indicator.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: enrichments.indicator.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: enrichments.indicator.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: enrichments.indicator.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      example: 1.2.3.4
       default_field: false
-    - name: enrichments.indicator.pe.imphash
+    - name: enrichments.indicator.last_seen
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+      type: date
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.pe.original_file_name
+    - name: enrichments.indicator.marking.tlp
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
+        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+      example: White
       default_field: false
-    - name: enrichments.indicator.pe.product
+    - name: enrichments.indicator.modified_at
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
+      type: date
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
     - name: enrichments.indicator.port
       level: extended
@@ -7073,6 +7720,12 @@
       description: Identifies the _index of the indicator document enriching the event.
       example: filebeat-8.0.0-2021.05.23-000011
       default_field: false
+    - name: enrichments.matched.occurred
+      level: extended
+      type: date
+      description: Indicates when the indicator match was generated
+      example: 2021-10-05 17:00:58.326000+00:00
+      default_field: false
     - name: enrichments.matched.type
       level: extended
       type: keyword
@@ -7433,182 +8086,437 @@
       format: bytes
       description: ELF Section List physical size.
       default_field: false
-    - name: indicator.file.elf.sections.type
+    - name: indicator.file.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: indicator.file.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: indicator.file.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: indicator.file.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: indicator.file.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: indicator.file.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: indicator.file.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: indicator.file.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: indicator.file.extension
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+      default_field: false
+    - name: indicator.file.fork_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A fork is additional data associated with a filesystem object.
+
+        On Linux, a resource fork is used to store additional data with a filesystem
+        object. A file always has at least one fork for the data portion, and additional
+        forks may exist.
+
+        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+        data stream for a file is just called $DATA. Zone.Identifier is commonly used
+        by Windows to track contents downloaded from the Internet. An ADS is typically
+        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+        is the value that should populate `fork_name`. `filename.extension` should
+        populate `file.name`, and `extension` should populate `file.extension`. The
+        full path, `file.path`, will include the fork name.'
+      example: Zone.Identifer
+      default_field: false
+    - name: indicator.file.gid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group ID (GID) of the file.
+      example: '1001'
+      default_field: false
+    - name: indicator.file.group
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group name of the file.
+      example: alice
+      default_field: false
+    - name: indicator.file.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: indicator.file.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: indicator.file.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: indicator.file.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: indicator.file.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: indicator.file.inode
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Inode representing the file in the filesystem.
+      example: '256383'
+      default_field: false
+    - name: indicator.file.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
+      default_field: false
+    - name: indicator.file.mode
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mode of the file in octal representation.
+      example: '0640'
+      default_field: false
+    - name: indicator.file.mtime
+      level: extended
+      type: date
+      description: Last time the file content was modified.
+      default_field: false
+    - name: indicator.file.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the file including the extension, without the directory.
+      example: example.png
+      default_field: false
+    - name: indicator.file.owner
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File owner's username.
+      example: alice
+      default_field: false
+    - name: indicator.file.path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
+      default_field: false
+    - name: indicator.file.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: indicator.file.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: indicator.file.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: indicator.file.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: indicator.file.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: indicator.file.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: indicator.file.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: indicator.file.size
+      level: extended
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      default_field: false
+    - name: indicator.file.target_path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
       default_field: false
-    - name: indicator.file.elf.sections.virtual_address
+    - name: indicator.file.type
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
       default_field: false
-    - name: indicator.file.elf.sections.virtual_size
+    - name: indicator.file.uid
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
+      type: keyword
+      ignore_above: 1024
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
       default_field: false
-    - name: indicator.file.elf.segments
+    - name: indicator.file.x509.alternative_names
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
       default_field: false
-    - name: indicator.file.elf.segments.sections
+    - name: indicator.file.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: indicator.file.elf.segments.type
+    - name: indicator.file.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: List of country (C) codes
+      example: US
       default_field: false
-    - name: indicator.file.elf.shared_libraries
+    - name: indicator.file.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
       default_field: false
-    - name: indicator.file.elf.telfhash
+    - name: indicator.file.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: List of locality names (L)
+      example: Mountain View
       default_field: false
-    - name: indicator.file.extension
+    - name: indicator.file.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'File extension, excluding the leading dot.
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
       default_field: false
-    - name: indicator.file.fork_name
+    - name: indicator.file.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A fork is additional data associated with a filesystem object.
-
-        On Linux, a resource fork is used to store additional data with a filesystem
-        object. A file always has at least one fork for the data portion, and additional
-        forks may exist.
-
-        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-        data stream for a file is just called $DATA. Zone.Identifier is commonly used
-        by Windows to track contents downloaded from the Internet. An ADS is typically
-        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-        is the value that should populate `fork_name`. `filename.extension` should
-        populate `file.name`, and `extension` should populate `file.extension`. The
-        full path, `file.path`, will include the fork name.'
-      example: Zone.Identifer
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
       default_field: false
-    - name: indicator.file.gid
+    - name: indicator.file.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group ID (GID) of the file.
-      example: '1001'
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.group
+    - name: indicator.file.x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: indicator.file.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: indicator.file.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group name of the file.
-      example: alice
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: indicator.file.inode
+    - name: indicator.file.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Inode representing the file in the filesystem.
-      example: '256383'
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: indicator.file.mime_type
+    - name: indicator.file.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
+      default_field: false
+    - name: indicator.file.x509.public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: indicator.file.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MIME type should identify the format of the file or stream of bytes
-        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
-        official types], where possible. When more than one type is applicable, the
-        most specific type should be used.
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: indicator.file.mode
+    - name: indicator.file.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mode of the file in octal representation.
-      example: '0640'
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: indicator.file.mtime
+    - name: indicator.file.x509.subject.common_name
       level: extended
-      type: date
-      description: Last time the file content was modified.
+      type: keyword
+      ignore_above: 1024
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: indicator.file.name
+    - name: indicator.file.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the file including the extension, without the directory.
-      example: example.png
+      description: List of country (C) code
+      example: US
       default_field: false
-    - name: indicator.file.owner
+    - name: indicator.file.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File owner's username.
-      example: alice
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: indicator.file.path
+    - name: indicator.file.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: indicator.file.size
+    - name: indicator.file.x509.subject.organization
       level: extended
-      type: long
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: indicator.file.target_path
+    - name: indicator.file.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: indicator.file.type
+    - name: indicator.file.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.uid
+    - name: indicator.file.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: Version of x509 format.
+      example: 3
       default_field: false
     - name: indicator.first_seen
       level: extended
@@ -7702,36 +8610,6 @@
       description: The time zone of the location, such as IANA time zone name.
       example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: indicator.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: indicator.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: indicator.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: indicator.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: indicator.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
     - name: indicator.ip
       level: extended
       type: ip
@@ -7761,59 +8639,6 @@
         for this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: indicator.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: indicator.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: indicator.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: indicator.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: indicator.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: indicator.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: indicator.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      default_field: false
     - name: indicator.port
       level: extended
       type: long
@@ -8375,6 +9200,7 @@
       protocol itself and intentionally avoids in-depth analysis of the related x.509
       certificate files.
     type: group
+    default_field: true
     fields:
     - name: cipher
       level: extended
@@ -8985,6 +9811,7 @@
     description: URL fields provide support for complete or partial URLs, and supports
       the breaking down into scheme, domain, path, and so on.
     type: group
+    default_field: true
     fields:
     - name: domain
       level: extended
@@ -9132,6 +9959,7 @@
       Fields can have one entry or multiple entries. If a user has more than one id,
       provide an array that includes all of them.'
     type: group
+    default_field: true
     fields:
     - name: changes.domain
       level: extended
@@ -9445,6 +10273,7 @@
 
       They often show up in web service logs coming from the parsed user agent string.'
     type: group
+    default_field: true
     fields:
     - name: device.name
       level: extended
@@ -9553,6 +10382,7 @@
       specific information when observer events contain discrete ingress and egress
       VLAN information, typically provided by firewalls, routers, or load balancers.'
     type: group
+    default_field: true
     fields:
     - name: id
       level: extended
@@ -9574,6 +10404,7 @@
     description: The vulnerability fields describe information about a vulnerability
       that is relevant to an event.
     type: group
+    default_field: true
     fields:
     - name: category
       level: extended
@@ -9712,6 +10543,7 @@
       use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
       `tls.client.x509`.'
     type: group
+    default_field: true
     fields:
     - name: alternative_names
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 5f4046e513..a87a150e08 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1178 +1,1270 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-8.0.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-8.0.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-8.0.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-8.0.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-8.0.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-8.0.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-8.0.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-8.0.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-8.0.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-8.0.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-8.0.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-8.0.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-8.0.0-dev,true,client,client.domain,keyword,core,,,Client domain.
-8.0.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-8.0.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-8.0.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-8.0.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-8.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-8.0.0-dev,true,client,client.port,long,core,,,Port of the client.
-8.0.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-8.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-8.0.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-8.0.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-8.0.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-8.0.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-8.0.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-8.0.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-8.0.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-8.0.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-8.0.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-8.0.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-8.0.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-8.0.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-8.0.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-8.0.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-8.0.0-dev,true,container,container.labels,object,extended,,,Image labels.
-8.0.0-dev,true,container,container.name,keyword,extended,,,Container name.
-8.0.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-8.0.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-8.0.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-8.0.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-8.0.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-8.0.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-8.0.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
-8.0.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-8.0.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-8.0.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-8.0.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-8.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-8.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-8.0.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-8.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-8.0.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-8.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-8.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-8.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-8.0.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-8.0.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-8.0.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-8.0.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-8.0.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-8.0.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-8.0.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-8.0.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-8.0.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-8.0.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-8.0.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-8.0.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-8.0.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-8.0.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-8.0.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-8.0.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-8.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-8.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-8.0.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-8.0.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-8.0.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-8.0.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-8.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-8.0.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-8.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-8.0.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-8.0.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-8.0.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-8.0.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-8.0.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-8.0.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-8.0.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-8.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-8.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-8.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-8.0.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-8.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-8.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-8.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-8.0.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-8.0.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-8.0.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-8.0.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-8.0.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-8.0.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-8.0.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-8.0.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-8.0.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-8.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-8.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.0.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev,true,file,file.created,date,extended,,,File creation time.
-8.0.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-8.0.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.0.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.0.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-8.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.0.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-8.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-8.0.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-8.0.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-8.0.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.0.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.0.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.0.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-8.0.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-8.0.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-8.0.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-8.0.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-8.0.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-8.0.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-8.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-8.0.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-8.0.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-8.0.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-8.0.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-8.0.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-8.0.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-8.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.0.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.0.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.0.0-dev,true,host,host.type,keyword,core,,,Type of host.
-8.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-8.0.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-8.0.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-8.0.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-8.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-8.0.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-8.0.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-8.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-8.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-8.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-8.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-8.0.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-8.0.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-8.0.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-8.0.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-8.0.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-8.0.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-8.0.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-8.0.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-8.0.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-8.0.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-8.0.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-8.0.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-8.0.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-8.0.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-8.0.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-8.0.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-8.0.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-8.0.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-8.0.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-8.0.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-8.0.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-8.0.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-8.0.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-8.0.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-8.0.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-8.0.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-8.0.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-8.0.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-8.0.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-8.0.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-8.0.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-8.0.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-8.0.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-8.0.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-8.0.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-8.0.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-8.0.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-8.0.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-8.0.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-8.0.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-8.0.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-8.0.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-8.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-8.0.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-8.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-8.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.0.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.0.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-8.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-8.0.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-8.0.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-8.0.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-8.0.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-8.0.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-8.0.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-8.0.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-8.0.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-8.0.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-8.0.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-8.0.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-8.0.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-8.0.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-8.0.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-8.0.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-8.0.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-8.0.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-8.0.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-8.0.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-8.0.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-8.0.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-8.0.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-8.0.0-dev,true,package,package.name,keyword,extended,,go,Package name
-8.0.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-8.0.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-8.0.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-8.0.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-8.0.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-8.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-8.0.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.0.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-8.0.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-8.0.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-8.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-8.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-8.0.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-8.0.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-8.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-8.0.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-8.0.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-8.0.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-8.0.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-8.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-8.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-8.0.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-8.0.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.0.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-8.0.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-8.0.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-8.0.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-8.0.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-8.0.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.0.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.0.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-8.0.0-dev,true,process,process.pid,long,core,,4242,Process id.
-8.0.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-8.0.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-8.0.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-8.0.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-8.0.0-dev,true,process,process.title,keyword,extended,,,Process title.
-8.0.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-8.0.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-8.0.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-8.0.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.0.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.0.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.0.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.0.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.0.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.0.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.0.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-8.0.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-8.0.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-8.0.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-8.0.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-8.0.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-8.0.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-8.0.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-8.0.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-8.0.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-8.0.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-8.0.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-8.0.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-8.0.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-8.0.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-8.0.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-8.0.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-8.0.0-dev,true,server,server.domain,keyword,core,,,Server domain.
-8.0.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-8.0.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-8.0.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-8.0.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-8.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-8.0.0-dev,true,server,server.port,long,core,,,Port of the server.
-8.0.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-8.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-8.0.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-8.0.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-8.0.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-8.0.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-8.0.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-8.0.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-8.0.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-8.0.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-8.0.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-8.0.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-8.0.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-8.0.0-dev,true,source,source.domain,keyword,core,,,Source domain.
-8.0.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-8.0.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-8.0.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-8.0.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-8.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-8.0.0-dev,true,source,source.port,long,core,,,Port of the source.
-8.0.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-8.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-8.0.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event.
-8.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-8.0.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.0.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.0.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.0.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.0.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,threat,threat.enrichments.indicator.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev,true,threat,threat.enrichments.indicator.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev,true,threat,threat.enrichments.indicator.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev,true,threat,threat.enrichments.indicator.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev,true,threat,threat.enrichments.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.0.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking
-8.0.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.0.0-dev,true,threat,threat.enrichments.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.enrichments.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.enrichments.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev,true,threat,threat.enrichments.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev,true,threat,threat.enrichments.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.enrichments.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-8.0.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.0.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.0.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.0.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.0.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.0.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.0.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.0.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.0.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-8.0.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-8.0.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-8.0.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-8.0.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-8.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-8.0.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-8.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-8.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-8.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-8.0.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-8.0.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-8.0.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-8.0.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-8.0.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-8.0.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-8.0.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-8.0.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-8.0.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-8.0.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-8.0.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-8.0.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-8.0.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-8.0.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-8.0.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-8.0.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-8.0.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-8.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-8.0.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-8.0.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-8.0.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-8.0.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-8.0.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-8.0.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-8.0.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-8.0.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-8.0.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-8.0.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-8.0.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-8.0.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-8.0.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-8.0.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-8.0.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-8.0.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.0.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-8.0.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-8.0.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-8.0.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-8.0.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-8.0.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-8.0.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-8.0.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-8.0.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-8.0.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-8.0.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-8.0.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-8.0.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-8.0.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-8.0.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-8.0.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-8.0.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-8.0.0-dev,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash.
-8.0.0-dev,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash.
-8.0.0-dev,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash.
-8.0.0-dev,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash.
-8.0.0-dev,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-8.0.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-8.0.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.0.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
-8.0.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-8.0.0-dev,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-8.0.0-dev,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-8.0.0-dev,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-8.0.0-dev,true,threat,threat.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-8.0.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-8.0.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-8.0.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-8.0.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-8.0.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-8.0.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-8.0.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-8.0.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-8.0.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-8.0.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-8.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-8.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-8.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-8.0.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.0.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.0.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.0.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-8.0.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.0.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-8.0.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-8.0.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.0.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-8.0.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-8.0.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-8.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-8.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-8.0.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-8.0.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-8.0.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-8.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-8.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-8.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-8.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-8.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-8.0.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-8.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-8.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-8.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-8.0.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-8.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-8.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-8.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-8.0.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-8.0.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-8.0.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-8.0.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-8.0.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-8.0.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-8.0.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-8.0.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-8.0.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-8.0.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-8.0.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-8.0.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-8.0.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-8.0.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-8.0.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-8.0.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-8.0.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-8.0.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-8.0.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-8.0.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-8.0.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-8.0.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-8.0.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-8.0.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-8.0.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-8.0.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-8.0.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-8.0.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-8.0.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-8.0.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-8.0.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-8.0.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-8.0.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-8.0.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-8.0.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-8.0.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-8.0.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-8.0.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-8.0.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-8.0.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-8.0.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-8.0.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-8.0.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-8.0.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-8.0.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-8.0.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-8.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-8.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-8.0.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-8.0.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-8.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-8.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-8.0.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-8.0.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-8.0.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-8.0.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-8.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-8.0.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-8.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-8.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-8.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-8.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-8.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-8.0.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-8.0.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,user,user.email,keyword,extended,,,User email address.
-8.0.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-8.0.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-8.0.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-8.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-8.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-8.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-8.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-8.0.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-8.0.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-8.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-8.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-8.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-8.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.0.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-8.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-8.0.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-8.0.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-8.0.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-8.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-8.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-8.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-8.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-8.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-8.0.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-8.0.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.0.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-8.0.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-8.0.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-8.0.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-8.0.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-8.0.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-8.0.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-8.0.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-8.0.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-8.0.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-8.0.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+8.1.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.1.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.1.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.1.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.1.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+8.1.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+8.1.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+8.1.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+8.1.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+8.1.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+8.1.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+8.1.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+8.1.0-dev,true,client,client.domain,keyword,core,,,Client domain.
+8.1.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+8.1.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+8.1.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+8.1.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+8.1.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+8.1.0-dev,true,client,client.port,long,core,,,Port of the client.
+8.1.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+8.1.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+8.1.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.1.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.1.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.1.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.1.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+8.1.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.1.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.1.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.1.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.1.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.1.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+8.1.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.1.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+8.1.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+8.1.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+8.1.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.1.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+8.1.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+8.1.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+8.1.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+8.1.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.1.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+8.1.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+8.1.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+8.1.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+8.1.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+8.1.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+8.1.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+8.1.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+8.1.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+8.1.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+8.1.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+8.1.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+8.1.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+8.1.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+8.1.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+8.1.0-dev,true,container,container.labels,object,extended,,,Image labels.
+8.1.0-dev,true,container,container.name,keyword,extended,,,Container name.
+8.1.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+8.1.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+8.1.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+8.1.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+8.1.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+8.1.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+8.1.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
+8.1.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+8.1.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+8.1.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+8.1.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+8.1.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+8.1.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+8.1.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+8.1.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+8.1.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+8.1.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+8.1.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+8.1.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+8.1.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+8.1.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+8.1.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+8.1.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+8.1.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+8.1.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+8.1.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+8.1.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+8.1.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+8.1.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+8.1.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+8.1.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+8.1.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+8.1.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+8.1.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+8.1.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+8.1.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+8.1.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+8.1.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+8.1.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+8.1.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+8.1.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+8.1.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.1.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+8.1.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.1.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.1.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+8.1.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.1.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.1.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+8.1.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+8.1.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+8.1.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+8.1.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+8.1.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.1.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+8.1.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+8.1.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+8.1.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+8.1.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+8.1.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+8.1.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+8.1.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+8.1.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+8.1.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+8.1.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+8.1.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+8.1.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+8.1.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+8.1.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+8.1.0-dev,true,faas,faas.trigger,nested,extended,,,Details about the function trigger.
+8.1.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+8.1.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+8.1.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+8.1.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.1.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev,true,file,file.created,date,extended,,,File creation time.
+8.1.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.1.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+8.1.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.1.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.1.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.1.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.1.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.1.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+8.1.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.1.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.1.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.1.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+8.1.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.1.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+8.1.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+8.1.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+8.1.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.1.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.1.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.1.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.1.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.1.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.1.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.1.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.1.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.1.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+8.1.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.1.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.1.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+8.1.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.1.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.1.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.1.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.1.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.1.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.1.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.1.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.1.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.1.0-dev,true,host,host.type,keyword,core,,,Type of host.
+8.1.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.1.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.1.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.1.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.1.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.1.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.1.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.1.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.1.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.1.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.1.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.1.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.1.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.1.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.1.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.1.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.1.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+8.1.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.1.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.1.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+8.1.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+8.1.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+8.1.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+8.1.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+8.1.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.1.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.1.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+8.1.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.1.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+8.1.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+8.1.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+8.1.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+8.1.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+8.1.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+8.1.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+8.1.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+8.1.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+8.1.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+8.1.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+8.1.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+8.1.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+8.1.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+8.1.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+8.1.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+8.1.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+8.1.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+8.1.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+8.1.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+8.1.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+8.1.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+8.1.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+8.1.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+8.1.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+8.1.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+8.1.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+8.1.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+8.1.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.1.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.1.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.1.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.1.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.1.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+8.1.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+8.1.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+8.1.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+8.1.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+8.1.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+8.1.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+8.1.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+8.1.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+8.1.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+8.1.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+8.1.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+8.1.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+8.1.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+8.1.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+8.1.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+8.1.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+8.1.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+8.1.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+8.1.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+8.1.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+8.1.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+8.1.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+8.1.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+8.1.0-dev,true,package,package.name,keyword,extended,,go,Package name
+8.1.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+8.1.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+8.1.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+8.1.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+8.1.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+8.1.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.1.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+8.1.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.1.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.1.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+8.1.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+8.1.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+8.1.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+8.1.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+8.1.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+8.1.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+8.1.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+8.1.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+8.1.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+8.1.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+8.1.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+8.1.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+8.1.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+8.1.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.1.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+8.1.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+8.1.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+8.1.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+8.1.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+8.1.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.1.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.1.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+8.1.0-dev,true,process,process.pid,long,core,,4242,Process id.
+8.1.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+8.1.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+8.1.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+8.1.0-dev,true,process,process.title,keyword,extended,,,Process title.
+8.1.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+8.1.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+8.1.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+8.1.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+8.1.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.1.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.1.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.1.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.1.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.1.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.1.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+8.1.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+8.1.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+8.1.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+8.1.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+8.1.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+8.1.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+8.1.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+8.1.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+8.1.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+8.1.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+8.1.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+8.1.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+8.1.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+8.1.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+8.1.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+8.1.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+8.1.0-dev,true,server,server.domain,keyword,core,,,Server domain.
+8.1.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+8.1.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+8.1.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+8.1.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+8.1.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+8.1.0-dev,true,server,server.port,long,core,,,Port of the server.
+8.1.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+8.1.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+8.1.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.1.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+8.1.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.1.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.1.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.1.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.1.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.1.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+8.1.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.1.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.1.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.1.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.1.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+8.1.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+8.1.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+8.1.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+8.1.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+8.1.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+8.1.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+8.1.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+8.1.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+8.1.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+8.1.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+8.1.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+8.1.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+8.1.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+8.1.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+8.1.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+8.1.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+8.1.0-dev,true,source,source.domain,keyword,core,,,Source domain.
+8.1.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+8.1.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+8.1.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+8.1.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+8.1.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+8.1.0-dev,true,source,source.port,long,core,,,Port of the source.
+8.1.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+8.1.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+8.1.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+8.1.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+8.1.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+8.1.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.1.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.1.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.1.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.1.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking
+8.1.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.1.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+8.1.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.1.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.1.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.1.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.1.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.1.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.1.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.1.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.1.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.1.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.1.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.1.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+8.1.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+8.1.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+8.1.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+8.1.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05 17:00:58.326000+00:00,Date of match
+8.1.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+8.1.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+8.1.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+8.1.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+8.1.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+8.1.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+8.1.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+8.1.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+8.1.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+8.1.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+8.1.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+8.1.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+8.1.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+8.1.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+8.1.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+8.1.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+8.1.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+8.1.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+8.1.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+8.1.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+8.1.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+8.1.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+8.1.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+8.1.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+8.1.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+8.1.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+8.1.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+8.1.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+8.1.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+8.1.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.1.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+8.1.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+8.1.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+8.1.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+8.1.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+8.1.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+8.1.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+8.1.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+8.1.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+8.1.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+8.1.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+8.1.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+8.1.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+8.1.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+8.1.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+8.1.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+8.1.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+8.1.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+8.1.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+8.1.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+8.1.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+8.1.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+8.1.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+8.1.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+8.1.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+8.1.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+8.1.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+8.1.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.1.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.1.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+8.1.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.1.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.1.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+8.1.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.1.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+8.1.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.1.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+8.1.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+8.1.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.1.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+8.1.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+8.1.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+8.1.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+8.1.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+8.1.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+8.1.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+8.1.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+8.1.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+8.1.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+8.1.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+8.1.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+8.1.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+8.1.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+8.1.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.1.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.1.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.1.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+8.1.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.1.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+8.1.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+8.1.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.1.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+8.1.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+8.1.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+8.1.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+8.1.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+8.1.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+8.1.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+8.1.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+8.1.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+8.1.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+8.1.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+8.1.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+8.1.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+8.1.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+8.1.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+8.1.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+8.1.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+8.1.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+8.1.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.1.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+8.1.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+8.1.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+8.1.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+8.1.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+8.1.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+8.1.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+8.1.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+8.1.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+8.1.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+8.1.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+8.1.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+8.1.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+8.1.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+8.1.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+8.1.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+8.1.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+8.1.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+8.1.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+8.1.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+8.1.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+8.1.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+8.1.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+8.1.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+8.1.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+8.1.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+8.1.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+8.1.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+8.1.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+8.1.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+8.1.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+8.1.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+8.1.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+8.1.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+8.1.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+8.1.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+8.1.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+8.1.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+8.1.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+8.1.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+8.1.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+8.1.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+8.1.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+8.1.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+8.1.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+8.1.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+8.1.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+8.1.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+8.1.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+8.1.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+8.1.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+8.1.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.1.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.1.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.1.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.1.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.1.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+8.1.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.1.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.1.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+8.1.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.1.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.1.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.1.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.1.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+8.1.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+8.1.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+8.1.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,user,user.email,keyword,extended,,,User email address.
+8.1.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+8.1.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+8.1.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+8.1.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+8.1.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+8.1.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+8.1.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+8.1.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.1.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.1.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.1.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+8.1.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+8.1.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.1.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.1.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.1.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.1.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.1.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.1.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.1.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.1.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.1.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+8.1.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+8.1.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+8.1.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.1.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+8.1.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+8.1.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+8.1.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+8.1.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+8.1.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+8.1.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+8.1.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+8.1.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+8.1.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+8.1.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 215b2f0189..4f2209feaa 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -628,6 +628,152 @@ cloud.machine.type:
   normalize: []
   short: Machine type of the host machine.
   type: keyword
+cloud.origin.account.id:
+  dashed_name: cloud-origin-account-id
+  description: 'The cloud account or organization id used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+  example: 666777888999
+  flat_name: cloud.origin.account.id
+  ignore_above: 1024
+  level: extended
+  name: account.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account or organization id.
+  type: keyword
+cloud.origin.account.name:
+  dashed_name: cloud-origin-account-name
+  description: 'The cloud account name or alias used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account name, Google Cloud ORG display name.'
+  example: elastic-dev
+  flat_name: cloud.origin.account.name
+  ignore_above: 1024
+  level: extended
+  name: account.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account name.
+  type: keyword
+cloud.origin.availability_zone:
+  dashed_name: cloud-origin-availability-zone
+  description: Availability zone in which this host, resource, or service is located.
+  example: us-east-1c
+  flat_name: cloud.origin.availability_zone
+  ignore_above: 1024
+  level: extended
+  name: availability_zone
+  normalize: []
+  original_fieldset: cloud
+  short: Availability zone in which this host, resource, or service is located.
+  type: keyword
+cloud.origin.instance.id:
+  dashed_name: cloud-origin-instance-id
+  description: Instance ID of the host machine.
+  example: i-1234567890abcdef0
+  flat_name: cloud.origin.instance.id
+  ignore_above: 1024
+  level: extended
+  name: instance.id
+  normalize: []
+  original_fieldset: cloud
+  short: Instance ID of the host machine.
+  type: keyword
+cloud.origin.instance.name:
+  dashed_name: cloud-origin-instance-name
+  description: Instance name of the host machine.
+  flat_name: cloud.origin.instance.name
+  ignore_above: 1024
+  level: extended
+  name: instance.name
+  normalize: []
+  original_fieldset: cloud
+  short: Instance name of the host machine.
+  type: keyword
+cloud.origin.machine.type:
+  dashed_name: cloud-origin-machine-type
+  description: Machine type of the host machine.
+  example: t2.medium
+  flat_name: cloud.origin.machine.type
+  ignore_above: 1024
+  level: extended
+  name: machine.type
+  normalize: []
+  original_fieldset: cloud
+  short: Machine type of the host machine.
+  type: keyword
+cloud.origin.project.id:
+  dashed_name: cloud-origin-project-id
+  description: 'The cloud project identifier.
+
+    Examples: Google Cloud Project id, Azure Project id.'
+  example: my-project
+  flat_name: cloud.origin.project.id
+  ignore_above: 1024
+  level: extended
+  name: project.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project id.
+  type: keyword
+cloud.origin.project.name:
+  dashed_name: cloud-origin-project-name
+  description: 'The cloud project name.
+
+    Examples: Google Cloud Project name, Azure Project name.'
+  example: my project
+  flat_name: cloud.origin.project.name
+  ignore_above: 1024
+  level: extended
+  name: project.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project name.
+  type: keyword
+cloud.origin.provider:
+  dashed_name: cloud-origin-provider
+  description: Name of the cloud provider. Example values are aws, azure, gcp, or
+    digitalocean.
+  example: aws
+  flat_name: cloud.origin.provider
+  ignore_above: 1024
+  level: extended
+  name: provider
+  normalize: []
+  original_fieldset: cloud
+  short: Name of the cloud provider.
+  type: keyword
+cloud.origin.region:
+  dashed_name: cloud-origin-region
+  description: Region in which this host, resource, or service is located.
+  example: us-east-1
+  flat_name: cloud.origin.region
+  ignore_above: 1024
+  level: extended
+  name: region
+  normalize: []
+  original_fieldset: cloud
+  short: Region in which this host, resource, or service is located.
+  type: keyword
+cloud.origin.service.name:
+  dashed_name: cloud-origin-service-name
+  description: 'The cloud service name is intended to distinguish services running
+    on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App
+    Engine, Azure VM vs App Server.
+
+    Examples: app engine, app service, cloud run, fargate, lambda.'
+  example: lambda
+  flat_name: cloud.origin.service.name
+  ignore_above: 1024
+  level: extended
+  name: service.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud service name.
+  type: keyword
 cloud.project.id:
   dashed_name: cloud-project-id
   description: 'The cloud project identifier.
@@ -692,6 +838,152 @@ cloud.service.name:
   normalize: []
   short: The cloud service name.
   type: keyword
+cloud.target.account.id:
+  dashed_name: cloud-target-account-id
+  description: 'The cloud account or organization id used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+  example: 666777888999
+  flat_name: cloud.target.account.id
+  ignore_above: 1024
+  level: extended
+  name: account.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account or organization id.
+  type: keyword
+cloud.target.account.name:
+  dashed_name: cloud-target-account-name
+  description: 'The cloud account name or alias used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account name, Google Cloud ORG display name.'
+  example: elastic-dev
+  flat_name: cloud.target.account.name
+  ignore_above: 1024
+  level: extended
+  name: account.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud account name.
+  type: keyword
+cloud.target.availability_zone:
+  dashed_name: cloud-target-availability-zone
+  description: Availability zone in which this host, resource, or service is located.
+  example: us-east-1c
+  flat_name: cloud.target.availability_zone
+  ignore_above: 1024
+  level: extended
+  name: availability_zone
+  normalize: []
+  original_fieldset: cloud
+  short: Availability zone in which this host, resource, or service is located.
+  type: keyword
+cloud.target.instance.id:
+  dashed_name: cloud-target-instance-id
+  description: Instance ID of the host machine.
+  example: i-1234567890abcdef0
+  flat_name: cloud.target.instance.id
+  ignore_above: 1024
+  level: extended
+  name: instance.id
+  normalize: []
+  original_fieldset: cloud
+  short: Instance ID of the host machine.
+  type: keyword
+cloud.target.instance.name:
+  dashed_name: cloud-target-instance-name
+  description: Instance name of the host machine.
+  flat_name: cloud.target.instance.name
+  ignore_above: 1024
+  level: extended
+  name: instance.name
+  normalize: []
+  original_fieldset: cloud
+  short: Instance name of the host machine.
+  type: keyword
+cloud.target.machine.type:
+  dashed_name: cloud-target-machine-type
+  description: Machine type of the host machine.
+  example: t2.medium
+  flat_name: cloud.target.machine.type
+  ignore_above: 1024
+  level: extended
+  name: machine.type
+  normalize: []
+  original_fieldset: cloud
+  short: Machine type of the host machine.
+  type: keyword
+cloud.target.project.id:
+  dashed_name: cloud-target-project-id
+  description: 'The cloud project identifier.
+
+    Examples: Google Cloud Project id, Azure Project id.'
+  example: my-project
+  flat_name: cloud.target.project.id
+  ignore_above: 1024
+  level: extended
+  name: project.id
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project id.
+  type: keyword
+cloud.target.project.name:
+  dashed_name: cloud-target-project-name
+  description: 'The cloud project name.
+
+    Examples: Google Cloud Project name, Azure Project name.'
+  example: my project
+  flat_name: cloud.target.project.name
+  ignore_above: 1024
+  level: extended
+  name: project.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud project name.
+  type: keyword
+cloud.target.provider:
+  dashed_name: cloud-target-provider
+  description: Name of the cloud provider. Example values are aws, azure, gcp, or
+    digitalocean.
+  example: aws
+  flat_name: cloud.target.provider
+  ignore_above: 1024
+  level: extended
+  name: provider
+  normalize: []
+  original_fieldset: cloud
+  short: Name of the cloud provider.
+  type: keyword
+cloud.target.region:
+  dashed_name: cloud-target-region
+  description: Region in which this host, resource, or service is located.
+  example: us-east-1
+  flat_name: cloud.target.region
+  ignore_above: 1024
+  level: extended
+  name: region
+  normalize: []
+  original_fieldset: cloud
+  short: Region in which this host, resource, or service is located.
+  type: keyword
+cloud.target.service.name:
+  dashed_name: cloud-target-service-name
+  description: 'The cloud service name is intended to distinguish services running
+    on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App
+    Engine, Azure VM vs App Server.
+
+    Examples: app engine, app service, cloud run, fargate, lambda.'
+  example: lambda
+  flat_name: cloud.target.service.name
+  ignore_above: 1024
+  level: extended
+  name: service.name
+  normalize: []
+  original_fieldset: cloud
+  short: The cloud service name.
+  type: keyword
 container.id:
   dashed_name: container-id
   description: Unique container id.
@@ -2668,6 +2960,58 @@ event.url:
   normalize: []
   short: Event investigation URL
   type: keyword
+faas.coldstart:
+  dashed_name: faas-coldstart
+  description: Boolean value indicating a cold start of a function.
+  flat_name: faas.coldstart
+  level: extended
+  name: coldstart
+  normalize: []
+  short: Boolean value indicating a cold start of a function.
+  type: boolean
+faas.execution:
+  dashed_name: faas-execution
+  description: The execution ID of the current function execution.
+  example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+  flat_name: faas.execution
+  ignore_above: 1024
+  level: extended
+  name: execution
+  normalize: []
+  short: The execution ID of the current function execution.
+  type: keyword
+faas.trigger:
+  dashed_name: faas-trigger
+  description: Details about the function trigger.
+  flat_name: faas.trigger
+  level: extended
+  name: trigger
+  normalize: []
+  short: Details about the function trigger.
+  type: nested
+faas.trigger.request_id:
+  dashed_name: faas-trigger-request-id
+  description: The ID of the trigger request , message, event, etc.
+  example: 123456789
+  flat_name: faas.trigger.request_id
+  ignore_above: 1024
+  level: extended
+  name: trigger.request_id
+  normalize: []
+  short: The ID of the trigger request , message, event, etc.
+  type: keyword
+faas.trigger.type:
+  dashed_name: faas-trigger-type
+  description: "The trigger for the function execution.\nExpected values are:\n  *\
+    \ http\n  * pubsub\n  * datasource\n  * timer\n  * other"
+  example: http
+  flat_name: faas.trigger.type
+  ignore_above: 1024
+  level: extended
+  name: trigger.type
+  normalize: []
+  short: The trigger for the function execution.
+  type: keyword
 file.accessed:
   dashed_name: file-accessed
   description: 'Last time the file was accessed.
@@ -4664,13 +5008,14 @@ message:
   type: match_only_text
 network.application:
   dashed_name: network-application
-  description: 'A name given to an application level protocol. This can be arbitrarily
-    assigned for things like microservices, but also apply to things like skype, icq,
-    facebook, twitter. This would be used in situations where the vendor or service
-    can be decoded such as from the source/dest IP owners, ports, or wire format.
+  description: 'When a specific application or service is identified from network
+    connection details (source/dest IPs, ports, certificates, or wire format), this
+    field captures the application''s or service''s name.
+
+    For example, the original event identifies the network connection being from a
+    specific web service in a `https` network connection, like `facebook` or `twitter`.
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    The field value must be normalized to lowercase for querying.'
   example: aim
   flat_name: network.application
   ignore_above: 1024
@@ -4813,25 +5158,24 @@ network.packets:
   type: long
 network.protocol:
   dashed_name: network-protocol
-  description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+  description: 'In the OSI Model this would be the Application Layer protocol. For
+    example, `http`, `dns`, or `ssh`.
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    The field value must be normalized to lowercase for querying.'
   example: http
   flat_name: network.protocol
   ignore_above: 1024
   level: core
   name: protocol
   normalize: []
-  short: L7 Network protocol name.
+  short: Application protocol name.
   type: keyword
 network.transport:
   dashed_name: network-transport
   description: 'Same as network.iana_number, but instead using the Keyword name of
     the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    The field value must be normalized to lowercase for querying.'
   example: tcp
   flat_name: network.transport
   ignore_above: 1024
@@ -4845,8 +5189,7 @@ network.type:
   description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec,
     pim, etc
 
-    The field value must be normalized to lowercase for querying. See the documentation
-    section "Implementing ECS".'
+    The field value must be normalized to lowercase for querying.'
   example: ipv4
   flat_name: network.type
   ignore_above: 1024
@@ -7042,18 +7385,6 @@ process.parent.pid:
   original_fieldset: process
   short: Process id.
   type: long
-process.parent.ppid:
-  dashed_name: process-parent-ppid
-  description: Parent process' pid.
-  example: 4241
-  flat_name: process.parent.ppid
-  format: string
-  level: extended
-  name: ppid
-  normalize: []
-  original_fieldset: process
-  short: Parent process' pid.
-  type: long
 process.parent.start:
   dashed_name: process-parent-start
   description: The time the process started.
@@ -7243,17 +7574,6 @@ process.pid:
   normalize: []
   short: Process id.
   type: long
-process.ppid:
-  dashed_name: process-ppid
-  description: Parent process' pid.
-  example: 4241
-  flat_name: process.ppid
-  format: string
-  level: extended
-  name: ppid
-  normalize: []
-  short: Parent process' pid.
-  type: long
 process.start:
   dashed_name: process-start
   description: The time the process started.
@@ -8142,22 +8462,324 @@ service.node.name:
   normalize: []
   short: Name of the service node.
   type: keyword
-service.state:
-  dashed_name: service-state
-  description: Current state of the service.
-  flat_name: service.state
+service.origin.address:
+  dashed_name: service-origin-address
+  description: 'Address where data about this service was collected from.
+
+    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+    path (sockets).'
+  example: 172.26.0.2:5432
+  flat_name: service.origin.address
   ignore_above: 1024
-  level: core
-  name: state
+  level: extended
+  name: address
   normalize: []
-  short: Current state of the service.
+  original_fieldset: service
+  short: Address of this service.
   type: keyword
-service.type:
-  dashed_name: service-type
-  description: 'The type of the service data is collected from.
-
-    The type can be used to group and correlate logs and metrics from one service
-    type.
+service.origin.environment:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-environment
+  description: 'Identifies the environment where the service is running.
+
+    If the same service runs in different environments (production, staging, QA, development,
+    etc.), the environment can identify other instances of the same service. Can also
+    group services and applications from the same environment.'
+  example: production
+  flat_name: service.origin.environment
+  ignore_above: 1024
+  level: extended
+  name: environment
+  normalize: []
+  original_fieldset: service
+  short: Environment of the service.
+  type: keyword
+service.origin.ephemeral_id:
+  dashed_name: service-origin-ephemeral-id
+  description: 'Ephemeral identifier of this service (if one exists).
+
+    This id normally changes across restarts, but `service.id` does not.'
+  example: 8a4f500f
+  flat_name: service.origin.ephemeral_id
+  ignore_above: 1024
+  level: extended
+  name: ephemeral_id
+  normalize: []
+  original_fieldset: service
+  short: Ephemeral identifier of this service.
+  type: keyword
+service.origin.id:
+  dashed_name: service-origin-id
+  description: 'Unique identifier of the running service. If the service is comprised
+    of many nodes, the `service.id` should be the same for all nodes.
+
+    This id should uniquely identify the service. This makes it possible to correlate
+    logs and metrics for one specific service, no matter which particular node emitted
+    the event.
+
+    Note that if you need to see the events from one specific host of the service,
+    you should filter on that `host.name` or `host.id` instead.'
+  example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+  flat_name: service.origin.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: service
+  short: Unique identifier of the running service.
+  type: keyword
+service.origin.name:
+  dashed_name: service-origin-name
+  description: 'Name of the service data is collected from.
+
+    The name of the service is normally user given. This allows for distributed services
+    that run on multiple hosts to correlate the related instances based on the name.
+
+    In the case of Elasticsearch the `service.name` could contain the cluster name.
+    For Beats the `service.name` is by default a copy of the `service.type` field
+    if no name is specified.'
+  example: elasticsearch-metrics
+  flat_name: service.origin.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  original_fieldset: service
+  short: Name of the service.
+  type: keyword
+service.origin.node.name:
+  dashed_name: service-origin-node-name
+  description: 'Name of a service node.
+
+    This allows for two nodes of the same service running on the same host to be differentiated.
+    Therefore, `service.node.name` should typically be unique across nodes of a given
+    service.
+
+    In the case of Elasticsearch, the `service.node.name` could contain the unique
+    node name within the Elasticsearch cluster. In cases where the service doesn''t
+    have the concept of a node name, the host name or container name can be used to
+    distinguish running instances that make up this service. If those do not provide
+    uniqueness (e.g. multiple instances of the service running on the same host) -
+    the node name can be manually set.'
+  example: instance-0000000016
+  flat_name: service.origin.node.name
+  ignore_above: 1024
+  level: extended
+  name: node.name
+  normalize: []
+  original_fieldset: service
+  short: Name of the service node.
+  type: keyword
+service.origin.state:
+  dashed_name: service-origin-state
+  description: Current state of the service.
+  flat_name: service.origin.state
+  ignore_above: 1024
+  level: core
+  name: state
+  normalize: []
+  original_fieldset: service
+  short: Current state of the service.
+  type: keyword
+service.origin.type:
+  dashed_name: service-origin-type
+  description: 'The type of the service data is collected from.
+
+    The type can be used to group and correlate logs and metrics from one service
+    type.
+
+    Example: If logs or metrics are collected from Elasticsearch, `service.type` would
+    be `elasticsearch`.'
+  example: elasticsearch
+  flat_name: service.origin.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  original_fieldset: service
+  short: The type of the service.
+  type: keyword
+service.origin.version:
+  dashed_name: service-origin-version
+  description: 'Version of the service the data was collected from.
+
+    This allows to look at a data set only for a specific version of a service.'
+  example: 3.2.4
+  flat_name: service.origin.version
+  ignore_above: 1024
+  level: core
+  name: version
+  normalize: []
+  original_fieldset: service
+  short: Version of the service.
+  type: keyword
+service.state:
+  dashed_name: service-state
+  description: Current state of the service.
+  flat_name: service.state
+  ignore_above: 1024
+  level: core
+  name: state
+  normalize: []
+  short: Current state of the service.
+  type: keyword
+service.target.address:
+  dashed_name: service-target-address
+  description: 'Address where data about this service was collected from.
+
+    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+    path (sockets).'
+  example: 172.26.0.2:5432
+  flat_name: service.target.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: service
+  short: Address of this service.
+  type: keyword
+service.target.environment:
+  beta: This field is beta and subject to change.
+  dashed_name: service-target-environment
+  description: 'Identifies the environment where the service is running.
+
+    If the same service runs in different environments (production, staging, QA, development,
+    etc.), the environment can identify other instances of the same service. Can also
+    group services and applications from the same environment.'
+  example: production
+  flat_name: service.target.environment
+  ignore_above: 1024
+  level: extended
+  name: environment
+  normalize: []
+  original_fieldset: service
+  short: Environment of the service.
+  type: keyword
+service.target.ephemeral_id:
+  dashed_name: service-target-ephemeral-id
+  description: 'Ephemeral identifier of this service (if one exists).
+
+    This id normally changes across restarts, but `service.id` does not.'
+  example: 8a4f500f
+  flat_name: service.target.ephemeral_id
+  ignore_above: 1024
+  level: extended
+  name: ephemeral_id
+  normalize: []
+  original_fieldset: service
+  short: Ephemeral identifier of this service.
+  type: keyword
+service.target.id:
+  dashed_name: service-target-id
+  description: 'Unique identifier of the running service. If the service is comprised
+    of many nodes, the `service.id` should be the same for all nodes.
+
+    This id should uniquely identify the service. This makes it possible to correlate
+    logs and metrics for one specific service, no matter which particular node emitted
+    the event.
+
+    Note that if you need to see the events from one specific host of the service,
+    you should filter on that `host.name` or `host.id` instead.'
+  example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+  flat_name: service.target.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: service
+  short: Unique identifier of the running service.
+  type: keyword
+service.target.name:
+  dashed_name: service-target-name
+  description: 'Name of the service data is collected from.
+
+    The name of the service is normally user given. This allows for distributed services
+    that run on multiple hosts to correlate the related instances based on the name.
+
+    In the case of Elasticsearch the `service.name` could contain the cluster name.
+    For Beats the `service.name` is by default a copy of the `service.type` field
+    if no name is specified.'
+  example: elasticsearch-metrics
+  flat_name: service.target.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  original_fieldset: service
+  short: Name of the service.
+  type: keyword
+service.target.node.name:
+  dashed_name: service-target-node-name
+  description: 'Name of a service node.
+
+    This allows for two nodes of the same service running on the same host to be differentiated.
+    Therefore, `service.node.name` should typically be unique across nodes of a given
+    service.
+
+    In the case of Elasticsearch, the `service.node.name` could contain the unique
+    node name within the Elasticsearch cluster. In cases where the service doesn''t
+    have the concept of a node name, the host name or container name can be used to
+    distinguish running instances that make up this service. If those do not provide
+    uniqueness (e.g. multiple instances of the service running on the same host) -
+    the node name can be manually set.'
+  example: instance-0000000016
+  flat_name: service.target.node.name
+  ignore_above: 1024
+  level: extended
+  name: node.name
+  normalize: []
+  original_fieldset: service
+  short: Name of the service node.
+  type: keyword
+service.target.state:
+  dashed_name: service-target-state
+  description: Current state of the service.
+  flat_name: service.target.state
+  ignore_above: 1024
+  level: core
+  name: state
+  normalize: []
+  original_fieldset: service
+  short: Current state of the service.
+  type: keyword
+service.target.type:
+  dashed_name: service-target-type
+  description: 'The type of the service data is collected from.
+
+    The type can be used to group and correlate logs and metrics from one service
+    type.
+
+    Example: If logs or metrics are collected from Elasticsearch, `service.type` would
+    be `elasticsearch`.'
+  example: elasticsearch
+  flat_name: service.target.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  original_fieldset: service
+  short: The type of the service.
+  type: keyword
+service.target.version:
+  dashed_name: service-target-version
+  description: 'Version of the service the data was collected from.
+
+    This allows to look at a data set only for a specific version of a service.'
+  example: 3.2.4
+  flat_name: service.target.version
+  ignore_above: 1024
+  level: core
+  name: version
+  normalize: []
+  original_fieldset: service
+  short: Version of the service.
+  type: keyword
+service.type:
+  dashed_name: service-type
+  description: 'The type of the service data is collected from.
+
+    The type can be used to group and correlate logs and metrics from one service
+    type.
 
     Example: If logs or metrics are collected from Elasticsearch, `service.type` would
     be `elasticsearch`.'
@@ -8672,7 +9294,8 @@ threat.enrichments:
   flat_name: threat.enrichments
   level: extended
   name: enrichments
-  normalize: []
+  normalize:
+  - array
   short: List of objects containing indicators enriching the event.
   type: nested
 threat.enrichments.indicator:
@@ -9363,25 +9986,80 @@ threat.enrichments.indicator.file.group:
   original_fieldset: file
   short: Primary group name of the file.
   type: keyword
-threat.enrichments.indicator.file.inode:
-  dashed_name: threat-enrichments-indicator-file-inode
-  description: Inode representing the file in the filesystem.
-  example: '256383'
-  flat_name: threat.enrichments.indicator.file.inode
+threat.enrichments.indicator.file.hash.md5:
+  dashed_name: threat-enrichments-indicator-file-hash-md5
+  description: MD5 hash.
+  flat_name: threat.enrichments.indicator.file.hash.md5
   ignore_above: 1024
   level: extended
-  name: inode
+  name: md5
   normalize: []
-  original_fieldset: file
-  short: Inode representing the file in the filesystem.
+  original_fieldset: hash
+  short: MD5 hash.
   type: keyword
-threat.enrichments.indicator.file.mime_type:
-  dashed_name: threat-enrichments-indicator-file-mime-type
-  description: MIME type should identify the format of the file or stream of bytes
-    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
-    types], where possible. When more than one type is applicable, the most specific
-    type should be used.
-  flat_name: threat.enrichments.indicator.file.mime_type
+threat.enrichments.indicator.file.hash.sha1:
+  dashed_name: threat-enrichments-indicator-file-hash-sha1
+  description: SHA1 hash.
+  flat_name: threat.enrichments.indicator.file.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+threat.enrichments.indicator.file.hash.sha256:
+  dashed_name: threat-enrichments-indicator-file-hash-sha256
+  description: SHA256 hash.
+  flat_name: threat.enrichments.indicator.file.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+threat.enrichments.indicator.file.hash.sha512:
+  dashed_name: threat-enrichments-indicator-file-hash-sha512
+  description: SHA512 hash.
+  flat_name: threat.enrichments.indicator.file.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+threat.enrichments.indicator.file.hash.ssdeep:
+  dashed_name: threat-enrichments-indicator-file-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: threat.enrichments.indicator.file.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+threat.enrichments.indicator.file.inode:
+  dashed_name: threat-enrichments-indicator-file-inode
+  description: Inode representing the file in the filesystem.
+  example: '256383'
+  flat_name: threat.enrichments.indicator.file.inode
+  ignore_above: 1024
+  level: extended
+  name: inode
+  normalize: []
+  original_fieldset: file
+  short: Inode representing the file in the filesystem.
+  type: keyword
+threat.enrichments.indicator.file.mime_type:
+  dashed_name: threat-enrichments-indicator-file-mime-type
+  description: MIME type should identify the format of the file or stream of bytes
+    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
+    types], where possible. When more than one type is applicable, the most specific
+    type should be used.
+  flat_name: threat.enrichments.indicator.file.mime_type
   ignore_above: 1024
   level: extended
   name: mime_type
@@ -9452,6 +10130,94 @@ threat.enrichments.indicator.file.path:
   original_fieldset: file
   short: Full path to the file, including the file name.
   type: keyword
+threat.enrichments.indicator.file.pe.architecture:
+  dashed_name: threat-enrichments-indicator-file-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: threat.enrichments.indicator.file.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+threat.enrichments.indicator.file.pe.company:
+  dashed_name: threat-enrichments-indicator-file-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: threat.enrichments.indicator.file.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+threat.enrichments.indicator.file.pe.description:
+  dashed_name: threat-enrichments-indicator-file-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: threat.enrichments.indicator.file.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+threat.enrichments.indicator.file.pe.file_version:
+  dashed_name: threat-enrichments-indicator-file-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: threat.enrichments.indicator.file.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+threat.enrichments.indicator.file.pe.imphash:
+  dashed_name: threat-enrichments-indicator-file-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: threat.enrichments.indicator.file.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+threat.enrichments.indicator.file.pe.original_file_name:
+  dashed_name: threat-enrichments-indicator-file-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: threat.enrichments.indicator.file.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+threat.enrichments.indicator.file.pe.product:
+  dashed_name: threat-enrichments-indicator-file-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: threat.enrichments.indicator.file.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
 threat.enrichments.indicator.file.size:
   dashed_name: threat-enrichments-indicator-file-size
   description: 'File size in bytes.
@@ -9504,350 +10270,513 @@ threat.enrichments.indicator.file.uid:
   original_fieldset: file
   short: The user ID (UID) or security identifier (SID) of the file owner.
   type: keyword
-threat.enrichments.indicator.first_seen:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-first-seen
-  description: The date and time when intelligence source first reported sighting
-    this indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.first_seen
-  level: extended
-  name: enrichments.indicator.first_seen
-  normalize: []
-  short: Date/time indicator was first reported.
-  type: date
-threat.enrichments.indicator.geo.city_name:
-  dashed_name: threat-enrichments-indicator-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: threat.enrichments.indicator.geo.city_name
+threat.enrichments.indicator.file.x509.alternative_names:
+  dashed_name: threat-enrichments-indicator-file-x509-alternative-names
+  description: List of subject alternative names (SAN). Name types vary by certificate
+    authority and certificate type but commonly contain IP addresses, DNS names (and
+    wildcards), and email addresses.
+  example: '*.elastic.co'
+  flat_name: threat.enrichments.indicator.file.x509.alternative_names
   ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
+  level: extended
+  name: alternative_names
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of subject alternative names (SAN).
   type: keyword
-threat.enrichments.indicator.geo.continent_code:
-  dashed_name: threat-enrichments-indicator-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: threat.enrichments.indicator.geo.continent_code
+threat.enrichments.indicator.file.x509.issuer.common_name:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-common-name
+  description: List of common name (CN) of issuing certificate authority.
+  example: Example SHA2 High Assurance Server CA
+  flat_name: threat.enrichments.indicator.file.x509.issuer.common_name
   ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
+  level: extended
+  name: issuer.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common name (CN) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.geo.continent_name:
-  dashed_name: threat-enrichments-indicator-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: threat.enrichments.indicator.geo.continent_name
+threat.enrichments.indicator.file.x509.issuer.country:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-country
+  description: List of country (C) codes
+  example: US
+  flat_name: threat.enrichments.indicator.file.x509.issuer.country
   ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
+  level: extended
+  name: issuer.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) codes
   type: keyword
-threat.enrichments.indicator.geo.country_iso_code:
-  dashed_name: threat-enrichments-indicator-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: threat.enrichments.indicator.geo.country_iso_code
+threat.enrichments.indicator.file.x509.issuer.distinguished_name:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-distinguished-name
+  description: Distinguished name (DN) of issuing certificate authority.
+  example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+    Server CA
+  flat_name: threat.enrichments.indicator.file.x509.issuer.distinguished_name
   ignore_above: 1024
-  level: core
-  name: country_iso_code
+  level: extended
+  name: issuer.distinguished_name
   normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
+  original_fieldset: x509
+  short: Distinguished name (DN) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.geo.country_name:
-  dashed_name: threat-enrichments-indicator-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: threat.enrichments.indicator.geo.country_name
+threat.enrichments.indicator.file.x509.issuer.locality:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-locality
+  description: List of locality names (L)
+  example: Mountain View
+  flat_name: threat.enrichments.indicator.file.x509.issuer.locality
   ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
+  level: extended
+  name: issuer.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
   type: keyword
-threat.enrichments.indicator.geo.location:
-  dashed_name: threat-enrichments-indicator-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: threat.enrichments.indicator.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-threat.enrichments.indicator.geo.name:
-  dashed_name: threat-enrichments-indicator-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: threat.enrichments.indicator.geo.name
+threat.enrichments.indicator.file.x509.issuer.organization:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-organization
+  description: List of organizations (O) of issuing certificate authority.
+  example: Example Inc
+  flat_name: threat.enrichments.indicator.file.x509.issuer.organization
   ignore_above: 1024
   level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
+  name: issuer.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.geo.postal_code:
-  dashed_name: threat-enrichments-indicator-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: threat.enrichments.indicator.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-threat.enrichments.indicator.geo.region_iso_code:
-  dashed_name: threat-enrichments-indicator-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: threat.enrichments.indicator.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-threat.enrichments.indicator.geo.region_name:
-  dashed_name: threat-enrichments-indicator-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: threat.enrichments.indicator.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-threat.enrichments.indicator.geo.timezone:
-  dashed_name: threat-enrichments-indicator-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: threat.enrichments.indicator.geo.timezone
+threat.enrichments.indicator.file.x509.issuer.organizational_unit:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-organizational-unit
+  description: List of organizational units (OU) of issuing certificate authority.
+  example: www.example.com
+  flat_name: threat.enrichments.indicator.file.x509.issuer.organizational_unit
   ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
+  level: extended
+  name: issuer.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of issuing certificate authority.
   type: keyword
-threat.enrichments.indicator.hash.md5:
-  dashed_name: threat-enrichments-indicator-hash-md5
-  description: MD5 hash.
-  flat_name: threat.enrichments.indicator.hash.md5
+threat.enrichments.indicator.file.x509.issuer.state_or_province:
+  dashed_name: threat-enrichments-indicator-file-x509-issuer-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.enrichments.indicator.file.x509.issuer.state_or_province
   ignore_above: 1024
   level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
+  name: issuer.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
   type: keyword
-threat.enrichments.indicator.hash.sha1:
-  dashed_name: threat-enrichments-indicator-hash-sha1
-  description: SHA1 hash.
-  flat_name: threat.enrichments.indicator.hash.sha1
-  ignore_above: 1024
+threat.enrichments.indicator.file.x509.not_after:
+  dashed_name: threat-enrichments-indicator-file-x509-not-after
+  description: Time at which the certificate is no longer considered valid.
+  example: 2020-07-16 03:15:39+00:00
+  flat_name: threat.enrichments.indicator.file.x509.not_after
   level: extended
-  name: sha1
+  name: not_after
   normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-threat.enrichments.indicator.hash.sha256:
-  dashed_name: threat-enrichments-indicator-hash-sha256
-  description: SHA256 hash.
-  flat_name: threat.enrichments.indicator.hash.sha256
-  ignore_above: 1024
+  original_fieldset: x509
+  short: Time at which the certificate is no longer considered valid.
+  type: date
+threat.enrichments.indicator.file.x509.not_before:
+  dashed_name: threat-enrichments-indicator-file-x509-not-before
+  description: Time at which the certificate is first considered valid.
+  example: 2019-08-16 01:40:25+00:00
+  flat_name: threat.enrichments.indicator.file.x509.not_before
   level: extended
-  name: sha256
+  name: not_before
   normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-threat.enrichments.indicator.hash.sha512:
-  dashed_name: threat-enrichments-indicator-hash-sha512
-  description: SHA512 hash.
-  flat_name: threat.enrichments.indicator.hash.sha512
+  original_fieldset: x509
+  short: Time at which the certificate is first considered valid.
+  type: date
+threat.enrichments.indicator.file.x509.public_key_algorithm:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-algorithm
+  description: Algorithm used to generate the public key.
+  example: RSA
+  flat_name: threat.enrichments.indicator.file.x509.public_key_algorithm
   ignore_above: 1024
   level: extended
-  name: sha512
+  name: public_key_algorithm
   normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
+  original_fieldset: x509
+  short: Algorithm used to generate the public key.
   type: keyword
-threat.enrichments.indicator.hash.ssdeep:
-  dashed_name: threat-enrichments-indicator-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: threat.enrichments.indicator.hash.ssdeep
+threat.enrichments.indicator.file.x509.public_key_curve:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-curve
+  description: The curve used by the elliptic curve public key algorithm. This is
+    algorithm specific.
+  example: nistp521
+  flat_name: threat.enrichments.indicator.file.x509.public_key_curve
   ignore_above: 1024
   level: extended
-  name: ssdeep
+  name: public_key_curve
   normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
+  original_fieldset: x509
+  short: The curve used by the elliptic curve public key algorithm. This is algorithm
+    specific.
   type: keyword
-threat.enrichments.indicator.ip:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-ip
-  description: Identifies a threat indicator as an IP address (irrespective of direction).
-  example: 1.2.3.4
-  flat_name: threat.enrichments.indicator.ip
+threat.enrichments.indicator.file.x509.public_key_exponent:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-exponent
+  description: Exponent used to derive the public key. This is algorithm specific.
+  doc_values: false
+  example: 65537
+  flat_name: threat.enrichments.indicator.file.x509.public_key_exponent
+  index: false
   level: extended
-  name: enrichments.indicator.ip
+  name: public_key_exponent
   normalize: []
-  short: Indicator IP address
-  type: ip
-threat.enrichments.indicator.last_seen:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-last-seen
-  description: The date and time when intelligence source last reported sighting this
-    indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.last_seen
+  original_fieldset: x509
+  short: Exponent used to derive the public key. This is algorithm specific.
+  type: long
+threat.enrichments.indicator.file.x509.public_key_size:
+  dashed_name: threat-enrichments-indicator-file-x509-public-key-size
+  description: The size of the public key space in bits.
+  example: 2048
+  flat_name: threat.enrichments.indicator.file.x509.public_key_size
   level: extended
-  name: enrichments.indicator.last_seen
+  name: public_key_size
   normalize: []
-  short: Date/time indicator was last reported.
-  type: date
-threat.enrichments.indicator.marking.tlp:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-marking-tlp
-  description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
-    \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-  example: White
-  flat_name: threat.enrichments.indicator.marking.tlp
+  original_fieldset: x509
+  short: The size of the public key space in bits.
+  type: long
+threat.enrichments.indicator.file.x509.serial_number:
+  dashed_name: threat-enrichments-indicator-file-x509-serial-number
+  description: Unique serial number issued by the certificate authority. For consistency,
+    if this value is alphanumeric, it should be formatted without colons and uppercase
+    characters.
+  example: 55FBB9C7DEBF09809D12CCAA
+  flat_name: threat.enrichments.indicator.file.x509.serial_number
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp
+  name: serial_number
   normalize: []
-  short: Indicator TLP marking
+  original_fieldset: x509
+  short: Unique serial number issued by the certificate authority.
   type: keyword
-threat.enrichments.indicator.modified_at:
-  beta: This field is beta and subject to change.
-  dashed_name: threat-enrichments-indicator-modified-at
-  description: The date and time when intelligence source last modified information
-    for this indicator.
-  example: '2020-11-05T17:25:47.000Z'
-  flat_name: threat.enrichments.indicator.modified_at
-  level: extended
-  name: enrichments.indicator.modified_at
-  normalize: []
-  short: Date/time indicator was last updated.
-  type: date
-threat.enrichments.indicator.pe.architecture:
-  dashed_name: threat-enrichments-indicator-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: threat.enrichments.indicator.pe.architecture
+threat.enrichments.indicator.file.x509.signature_algorithm:
+  dashed_name: threat-enrichments-indicator-file-x509-signature-algorithm
+  description: Identifier for certificate signature algorithm. We recommend using
+    names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+  example: SHA256-RSA
+  flat_name: threat.enrichments.indicator.file.x509.signature_algorithm
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: signature_algorithm
   normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  original_fieldset: x509
+  short: Identifier for certificate signature algorithm.
   type: keyword
-threat.enrichments.indicator.pe.company:
-  dashed_name: threat-enrichments-indicator-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: threat.enrichments.indicator.pe.company
+threat.enrichments.indicator.file.x509.subject.common_name:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-common-name
+  description: List of common names (CN) of subject.
+  example: shared.global.example.net
+  flat_name: threat.enrichments.indicator.file.x509.subject.common_name
   ignore_above: 1024
   level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
+  name: subject.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common names (CN) of subject.
   type: keyword
-threat.enrichments.indicator.pe.description:
-  dashed_name: threat-enrichments-indicator-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: threat.enrichments.indicator.pe.description
+threat.enrichments.indicator.file.x509.subject.country:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-country
+  description: List of country (C) code
+  example: US
+  flat_name: threat.enrichments.indicator.file.x509.subject.country
   ignore_above: 1024
   level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
+  name: subject.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) code
   type: keyword
-threat.enrichments.indicator.pe.file_version:
-  dashed_name: threat-enrichments-indicator-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: threat.enrichments.indicator.pe.file_version
+threat.enrichments.indicator.file.x509.subject.distinguished_name:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-distinguished-name
+  description: Distinguished name (DN) of the certificate subject entity.
+  example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+  flat_name: threat.enrichments.indicator.file.x509.subject.distinguished_name
   ignore_above: 1024
   level: extended
-  name: file_version
+  name: subject.distinguished_name
   normalize: []
-  original_fieldset: pe
-  short: Process name.
+  original_fieldset: x509
+  short: Distinguished name (DN) of the certificate subject entity.
   type: keyword
-threat.enrichments.indicator.pe.imphash:
-  dashed_name: threat-enrichments-indicator-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: threat.enrichments.indicator.pe.imphash
+threat.enrichments.indicator.file.x509.subject.locality:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-locality
+  description: List of locality names (L)
+  example: San Francisco
+  flat_name: threat.enrichments.indicator.file.x509.subject.locality
   ignore_above: 1024
   level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  name: subject.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
   type: keyword
-threat.enrichments.indicator.pe.original_file_name:
-  dashed_name: threat-enrichments-indicator-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: threat.enrichments.indicator.pe.original_file_name
+threat.enrichments.indicator.file.x509.subject.organization:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-organization
+  description: List of organizations (O) of subject.
+  example: Example, Inc.
+  flat_name: threat.enrichments.indicator.file.x509.subject.organization
   ignore_above: 1024
   level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
+  name: subject.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of subject.
   type: keyword
-threat.enrichments.indicator.pe.product:
-  dashed_name: threat-enrichments-indicator-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: "Microsoft\xAE Windows\xAE Operating System"
-  flat_name: threat.enrichments.indicator.pe.product
+threat.enrichments.indicator.file.x509.subject.organizational_unit:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-organizational-unit
+  description: List of organizational units (OU) of subject.
+  flat_name: threat.enrichments.indicator.file.x509.subject.organizational_unit
   ignore_above: 1024
   level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-threat.enrichments.indicator.port:
+  name: subject.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of subject.
+  type: keyword
+threat.enrichments.indicator.file.x509.subject.state_or_province:
+  dashed_name: threat-enrichments-indicator-file-x509-subject-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.enrichments.indicator.file.x509.subject.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: subject.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+threat.enrichments.indicator.file.x509.version_number:
+  dashed_name: threat-enrichments-indicator-file-x509-version-number
+  description: Version of x509 format.
+  example: 3
+  flat_name: threat.enrichments.indicator.file.x509.version_number
+  ignore_above: 1024
+  level: extended
+  name: version_number
+  normalize: []
+  original_fieldset: x509
+  short: Version of x509 format.
+  type: keyword
+threat.enrichments.indicator.first_seen:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-first-seen
+  description: The date and time when intelligence source first reported sighting
+    this indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.first_seen
+  level: extended
+  name: enrichments.indicator.first_seen
+  normalize: []
+  short: Date/time indicator was first reported.
+  type: date
+threat.enrichments.indicator.geo.city_name:
+  dashed_name: threat-enrichments-indicator-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: threat.enrichments.indicator.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+threat.enrichments.indicator.geo.continent_code:
+  dashed_name: threat-enrichments-indicator-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: threat.enrichments.indicator.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+threat.enrichments.indicator.geo.continent_name:
+  dashed_name: threat-enrichments-indicator-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: threat.enrichments.indicator.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+threat.enrichments.indicator.geo.country_iso_code:
+  dashed_name: threat-enrichments-indicator-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: threat.enrichments.indicator.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+threat.enrichments.indicator.geo.country_name:
+  dashed_name: threat-enrichments-indicator-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: threat.enrichments.indicator.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+threat.enrichments.indicator.geo.location:
+  dashed_name: threat-enrichments-indicator-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: threat.enrichments.indicator.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+threat.enrichments.indicator.geo.name:
+  dashed_name: threat-enrichments-indicator-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: threat.enrichments.indicator.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+threat.enrichments.indicator.geo.postal_code:
+  dashed_name: threat-enrichments-indicator-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: threat.enrichments.indicator.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+threat.enrichments.indicator.geo.region_iso_code:
+  dashed_name: threat-enrichments-indicator-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: threat.enrichments.indicator.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+threat.enrichments.indicator.geo.region_name:
+  dashed_name: threat-enrichments-indicator-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: threat.enrichments.indicator.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+threat.enrichments.indicator.geo.timezone:
+  dashed_name: threat-enrichments-indicator-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: threat.enrichments.indicator.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+threat.enrichments.indicator.ip:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-ip
+  description: Identifies a threat indicator as an IP address (irrespective of direction).
+  example: 1.2.3.4
+  flat_name: threat.enrichments.indicator.ip
+  level: extended
+  name: enrichments.indicator.ip
+  normalize: []
+  short: Indicator IP address
+  type: ip
+threat.enrichments.indicator.last_seen:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-last-seen
+  description: The date and time when intelligence source last reported sighting this
+    indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.last_seen
+  level: extended
+  name: enrichments.indicator.last_seen
+  normalize: []
+  short: Date/time indicator was last reported.
+  type: date
+threat.enrichments.indicator.marking.tlp:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-marking-tlp
+  description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
+    \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+  example: White
+  flat_name: threat.enrichments.indicator.marking.tlp
+  ignore_above: 1024
+  level: extended
+  name: enrichments.indicator.marking.tlp
+  normalize: []
+  short: Indicator TLP marking
+  type: keyword
+threat.enrichments.indicator.modified_at:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-modified-at
+  description: The date and time when intelligence source last modified information
+    for this indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.enrichments.indicator.modified_at
+  level: extended
+  name: enrichments.indicator.modified_at
+  normalize: []
+  short: Date/time indicator was last updated.
+  type: date
+threat.enrichments.indicator.port:
   beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
@@ -10590,6 +11519,16 @@ threat.enrichments.matched.index:
   normalize: []
   short: Matched indicator index
   type: keyword
+threat.enrichments.matched.occurred:
+  dashed_name: threat-enrichments-matched-occurred
+  description: Indicates when the indicator match was generated
+  example: 2021-10-05 17:00:58.326000+00:00
+  flat_name: threat.enrichments.matched.occurred
+  level: extended
+  name: enrichments.matched.occurred
+  normalize: []
+  short: Date of match
+  type: date
 threat.enrichments.matched.type:
   beta: This field is beta and subject to change.
   dashed_name: threat-enrichments-matched-type
@@ -11345,146 +12284,595 @@ threat.indicator.file.group:
   original_fieldset: file
   short: Primary group name of the file.
   type: keyword
-threat.indicator.file.inode:
-  dashed_name: threat-indicator-file-inode
-  description: Inode representing the file in the filesystem.
-  example: '256383'
-  flat_name: threat.indicator.file.inode
+threat.indicator.file.hash.md5:
+  dashed_name: threat-indicator-file-hash-md5
+  description: MD5 hash.
+  flat_name: threat.indicator.file.hash.md5
   ignore_above: 1024
   level: extended
-  name: inode
+  name: md5
   normalize: []
-  original_fieldset: file
-  short: Inode representing the file in the filesystem.
+  original_fieldset: hash
+  short: MD5 hash.
   type: keyword
-threat.indicator.file.mime_type:
-  dashed_name: threat-indicator-file-mime-type
-  description: MIME type should identify the format of the file or stream of bytes
-    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
-    types], where possible. When more than one type is applicable, the most specific
-    type should be used.
-  flat_name: threat.indicator.file.mime_type
+threat.indicator.file.hash.sha1:
+  dashed_name: threat-indicator-file-hash-sha1
+  description: SHA1 hash.
+  flat_name: threat.indicator.file.hash.sha1
   ignore_above: 1024
   level: extended
-  name: mime_type
+  name: sha1
   normalize: []
-  original_fieldset: file
-  short: Media type of file, document, or arrangement of bytes.
+  original_fieldset: hash
+  short: SHA1 hash.
   type: keyword
-threat.indicator.file.mode:
+threat.indicator.file.hash.sha256:
+  dashed_name: threat-indicator-file-hash-sha256
+  description: SHA256 hash.
+  flat_name: threat.indicator.file.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+threat.indicator.file.hash.sha512:
+  dashed_name: threat-indicator-file-hash-sha512
+  description: SHA512 hash.
+  flat_name: threat.indicator.file.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+threat.indicator.file.hash.ssdeep:
+  dashed_name: threat-indicator-file-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: threat.indicator.file.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+threat.indicator.file.inode:
+  dashed_name: threat-indicator-file-inode
+  description: Inode representing the file in the filesystem.
+  example: '256383'
+  flat_name: threat.indicator.file.inode
+  ignore_above: 1024
+  level: extended
+  name: inode
+  normalize: []
+  original_fieldset: file
+  short: Inode representing the file in the filesystem.
+  type: keyword
+threat.indicator.file.mime_type:
+  dashed_name: threat-indicator-file-mime-type
+  description: MIME type should identify the format of the file or stream of bytes
+    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
+    types], where possible. When more than one type is applicable, the most specific
+    type should be used.
+  flat_name: threat.indicator.file.mime_type
+  ignore_above: 1024
+  level: extended
+  name: mime_type
+  normalize: []
+  original_fieldset: file
+  short: Media type of file, document, or arrangement of bytes.
+  type: keyword
+threat.indicator.file.mode:
   dashed_name: threat-indicator-file-mode
   description: Mode of the file in octal representation.
   example: '0640'
   flat_name: threat.indicator.file.mode
   ignore_above: 1024
   level: extended
-  name: mode
+  name: mode
+  normalize: []
+  original_fieldset: file
+  short: Mode of the file in octal representation.
+  type: keyword
+threat.indicator.file.mtime:
+  dashed_name: threat-indicator-file-mtime
+  description: Last time the file content was modified.
+  flat_name: threat.indicator.file.mtime
+  level: extended
+  name: mtime
+  normalize: []
+  original_fieldset: file
+  short: Last time the file content was modified.
+  type: date
+threat.indicator.file.name:
+  dashed_name: threat-indicator-file-name
+  description: Name of the file including the extension, without the directory.
+  example: example.png
+  flat_name: threat.indicator.file.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: file
+  short: Name of the file including the extension, without the directory.
+  type: keyword
+threat.indicator.file.owner:
+  dashed_name: threat-indicator-file-owner
+  description: File owner's username.
+  example: alice
+  flat_name: threat.indicator.file.owner
+  ignore_above: 1024
+  level: extended
+  name: owner
+  normalize: []
+  original_fieldset: file
+  short: File owner's username.
+  type: keyword
+threat.indicator.file.path:
+  dashed_name: threat-indicator-file-path
+  description: Full path to the file, including the file name. It should include the
+    drive letter, when appropriate.
+  example: /home/alice/example.png
+  flat_name: threat.indicator.file.path
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: threat.indicator.file.path.text
+    name: text
+    type: match_only_text
+  name: path
+  normalize: []
+  original_fieldset: file
+  short: Full path to the file, including the file name.
+  type: keyword
+threat.indicator.file.pe.architecture:
+  dashed_name: threat-indicator-file-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: threat.indicator.file.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+threat.indicator.file.pe.company:
+  dashed_name: threat-indicator-file-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: threat.indicator.file.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+threat.indicator.file.pe.description:
+  dashed_name: threat-indicator-file-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: threat.indicator.file.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+threat.indicator.file.pe.file_version:
+  dashed_name: threat-indicator-file-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: threat.indicator.file.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+threat.indicator.file.pe.imphash:
+  dashed_name: threat-indicator-file-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: threat.indicator.file.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+threat.indicator.file.pe.original_file_name:
+  dashed_name: threat-indicator-file-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: threat.indicator.file.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+threat.indicator.file.pe.product:
+  dashed_name: threat-indicator-file-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: threat.indicator.file.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+threat.indicator.file.size:
+  dashed_name: threat-indicator-file-size
+  description: 'File size in bytes.
+
+    Only relevant when `file.type` is "file".'
+  example: 16384
+  flat_name: threat.indicator.file.size
+  level: extended
+  name: size
+  normalize: []
+  original_fieldset: file
+  short: File size in bytes.
+  type: long
+threat.indicator.file.target_path:
+  dashed_name: threat-indicator-file-target-path
+  description: Target path for symlinks.
+  flat_name: threat.indicator.file.target_path
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: threat.indicator.file.target_path.text
+    name: text
+    type: match_only_text
+  name: target_path
+  normalize: []
+  original_fieldset: file
+  short: Target path for symlinks.
+  type: keyword
+threat.indicator.file.type:
+  dashed_name: threat-indicator-file-type
+  description: File type (file, dir, or symlink).
+  example: file
+  flat_name: threat.indicator.file.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: file
+  short: File type (file, dir, or symlink).
+  type: keyword
+threat.indicator.file.uid:
+  dashed_name: threat-indicator-file-uid
+  description: The user ID (UID) or security identifier (SID) of the file owner.
+  example: '1001'
+  flat_name: threat.indicator.file.uid
+  ignore_above: 1024
+  level: extended
+  name: uid
+  normalize: []
+  original_fieldset: file
+  short: The user ID (UID) or security identifier (SID) of the file owner.
+  type: keyword
+threat.indicator.file.x509.alternative_names:
+  dashed_name: threat-indicator-file-x509-alternative-names
+  description: List of subject alternative names (SAN). Name types vary by certificate
+    authority and certificate type but commonly contain IP addresses, DNS names (and
+    wildcards), and email addresses.
+  example: '*.elastic.co'
+  flat_name: threat.indicator.file.x509.alternative_names
+  ignore_above: 1024
+  level: extended
+  name: alternative_names
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of subject alternative names (SAN).
+  type: keyword
+threat.indicator.file.x509.issuer.common_name:
+  dashed_name: threat-indicator-file-x509-issuer-common-name
+  description: List of common name (CN) of issuing certificate authority.
+  example: Example SHA2 High Assurance Server CA
+  flat_name: threat.indicator.file.x509.issuer.common_name
+  ignore_above: 1024
+  level: extended
+  name: issuer.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common name (CN) of issuing certificate authority.
+  type: keyword
+threat.indicator.file.x509.issuer.country:
+  dashed_name: threat-indicator-file-x509-issuer-country
+  description: List of country (C) codes
+  example: US
+  flat_name: threat.indicator.file.x509.issuer.country
+  ignore_above: 1024
+  level: extended
+  name: issuer.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) codes
+  type: keyword
+threat.indicator.file.x509.issuer.distinguished_name:
+  dashed_name: threat-indicator-file-x509-issuer-distinguished-name
+  description: Distinguished name (DN) of issuing certificate authority.
+  example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+    Server CA
+  flat_name: threat.indicator.file.x509.issuer.distinguished_name
+  ignore_above: 1024
+  level: extended
+  name: issuer.distinguished_name
+  normalize: []
+  original_fieldset: x509
+  short: Distinguished name (DN) of issuing certificate authority.
+  type: keyword
+threat.indicator.file.x509.issuer.locality:
+  dashed_name: threat-indicator-file-x509-issuer-locality
+  description: List of locality names (L)
+  example: Mountain View
+  flat_name: threat.indicator.file.x509.issuer.locality
+  ignore_above: 1024
+  level: extended
+  name: issuer.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+threat.indicator.file.x509.issuer.organization:
+  dashed_name: threat-indicator-file-x509-issuer-organization
+  description: List of organizations (O) of issuing certificate authority.
+  example: Example Inc
+  flat_name: threat.indicator.file.x509.issuer.organization
+  ignore_above: 1024
+  level: extended
+  name: issuer.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of issuing certificate authority.
+  type: keyword
+threat.indicator.file.x509.issuer.organizational_unit:
+  dashed_name: threat-indicator-file-x509-issuer-organizational-unit
+  description: List of organizational units (OU) of issuing certificate authority.
+  example: www.example.com
+  flat_name: threat.indicator.file.x509.issuer.organizational_unit
+  ignore_above: 1024
+  level: extended
+  name: issuer.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of issuing certificate authority.
+  type: keyword
+threat.indicator.file.x509.issuer.state_or_province:
+  dashed_name: threat-indicator-file-x509-issuer-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.indicator.file.x509.issuer.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: issuer.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+threat.indicator.file.x509.not_after:
+  dashed_name: threat-indicator-file-x509-not-after
+  description: Time at which the certificate is no longer considered valid.
+  example: 2020-07-16 03:15:39+00:00
+  flat_name: threat.indicator.file.x509.not_after
+  level: extended
+  name: not_after
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is no longer considered valid.
+  type: date
+threat.indicator.file.x509.not_before:
+  dashed_name: threat-indicator-file-x509-not-before
+  description: Time at which the certificate is first considered valid.
+  example: 2019-08-16 01:40:25+00:00
+  flat_name: threat.indicator.file.x509.not_before
+  level: extended
+  name: not_before
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is first considered valid.
+  type: date
+threat.indicator.file.x509.public_key_algorithm:
+  dashed_name: threat-indicator-file-x509-public-key-algorithm
+  description: Algorithm used to generate the public key.
+  example: RSA
+  flat_name: threat.indicator.file.x509.public_key_algorithm
+  ignore_above: 1024
+  level: extended
+  name: public_key_algorithm
+  normalize: []
+  original_fieldset: x509
+  short: Algorithm used to generate the public key.
+  type: keyword
+threat.indicator.file.x509.public_key_curve:
+  dashed_name: threat-indicator-file-x509-public-key-curve
+  description: The curve used by the elliptic curve public key algorithm. This is
+    algorithm specific.
+  example: nistp521
+  flat_name: threat.indicator.file.x509.public_key_curve
+  ignore_above: 1024
+  level: extended
+  name: public_key_curve
+  normalize: []
+  original_fieldset: x509
+  short: The curve used by the elliptic curve public key algorithm. This is algorithm
+    specific.
+  type: keyword
+threat.indicator.file.x509.public_key_exponent:
+  dashed_name: threat-indicator-file-x509-public-key-exponent
+  description: Exponent used to derive the public key. This is algorithm specific.
+  doc_values: false
+  example: 65537
+  flat_name: threat.indicator.file.x509.public_key_exponent
+  index: false
+  level: extended
+  name: public_key_exponent
+  normalize: []
+  original_fieldset: x509
+  short: Exponent used to derive the public key. This is algorithm specific.
+  type: long
+threat.indicator.file.x509.public_key_size:
+  dashed_name: threat-indicator-file-x509-public-key-size
+  description: The size of the public key space in bits.
+  example: 2048
+  flat_name: threat.indicator.file.x509.public_key_size
+  level: extended
+  name: public_key_size
+  normalize: []
+  original_fieldset: x509
+  short: The size of the public key space in bits.
+  type: long
+threat.indicator.file.x509.serial_number:
+  dashed_name: threat-indicator-file-x509-serial-number
+  description: Unique serial number issued by the certificate authority. For consistency,
+    if this value is alphanumeric, it should be formatted without colons and uppercase
+    characters.
+  example: 55FBB9C7DEBF09809D12CCAA
+  flat_name: threat.indicator.file.x509.serial_number
+  ignore_above: 1024
+  level: extended
+  name: serial_number
+  normalize: []
+  original_fieldset: x509
+  short: Unique serial number issued by the certificate authority.
+  type: keyword
+threat.indicator.file.x509.signature_algorithm:
+  dashed_name: threat-indicator-file-x509-signature-algorithm
+  description: Identifier for certificate signature algorithm. We recommend using
+    names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+  example: SHA256-RSA
+  flat_name: threat.indicator.file.x509.signature_algorithm
+  ignore_above: 1024
+  level: extended
+  name: signature_algorithm
   normalize: []
-  original_fieldset: file
-  short: Mode of the file in octal representation.
+  original_fieldset: x509
+  short: Identifier for certificate signature algorithm.
   type: keyword
-threat.indicator.file.mtime:
-  dashed_name: threat-indicator-file-mtime
-  description: Last time the file content was modified.
-  flat_name: threat.indicator.file.mtime
+threat.indicator.file.x509.subject.common_name:
+  dashed_name: threat-indicator-file-x509-subject-common-name
+  description: List of common names (CN) of subject.
+  example: shared.global.example.net
+  flat_name: threat.indicator.file.x509.subject.common_name
+  ignore_above: 1024
   level: extended
-  name: mtime
-  normalize: []
-  original_fieldset: file
-  short: Last time the file content was modified.
-  type: date
-threat.indicator.file.name:
-  dashed_name: threat-indicator-file-name
-  description: Name of the file including the extension, without the directory.
-  example: example.png
-  flat_name: threat.indicator.file.name
+  name: subject.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common names (CN) of subject.
+  type: keyword
+threat.indicator.file.x509.subject.country:
+  dashed_name: threat-indicator-file-x509-subject-country
+  description: List of country (C) code
+  example: US
+  flat_name: threat.indicator.file.x509.subject.country
   ignore_above: 1024
   level: extended
-  name: name
-  normalize: []
-  original_fieldset: file
-  short: Name of the file including the extension, without the directory.
+  name: subject.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) code
   type: keyword
-threat.indicator.file.owner:
-  dashed_name: threat-indicator-file-owner
-  description: File owner's username.
-  example: alice
-  flat_name: threat.indicator.file.owner
+threat.indicator.file.x509.subject.distinguished_name:
+  dashed_name: threat-indicator-file-x509-subject-distinguished-name
+  description: Distinguished name (DN) of the certificate subject entity.
+  example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+  flat_name: threat.indicator.file.x509.subject.distinguished_name
   ignore_above: 1024
   level: extended
-  name: owner
+  name: subject.distinguished_name
   normalize: []
-  original_fieldset: file
-  short: File owner's username.
+  original_fieldset: x509
+  short: Distinguished name (DN) of the certificate subject entity.
   type: keyword
-threat.indicator.file.path:
-  dashed_name: threat-indicator-file-path
-  description: Full path to the file, including the file name. It should include the
-    drive letter, when appropriate.
-  example: /home/alice/example.png
-  flat_name: threat.indicator.file.path
+threat.indicator.file.x509.subject.locality:
+  dashed_name: threat-indicator-file-x509-subject-locality
+  description: List of locality names (L)
+  example: San Francisco
+  flat_name: threat.indicator.file.x509.subject.locality
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: threat.indicator.file.path.text
-    name: text
-    type: match_only_text
-  name: path
-  normalize: []
-  original_fieldset: file
-  short: Full path to the file, including the file name.
+  name: subject.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
   type: keyword
-threat.indicator.file.size:
-  dashed_name: threat-indicator-file-size
-  description: 'File size in bytes.
-
-    Only relevant when `file.type` is "file".'
-  example: 16384
-  flat_name: threat.indicator.file.size
+threat.indicator.file.x509.subject.organization:
+  dashed_name: threat-indicator-file-x509-subject-organization
+  description: List of organizations (O) of subject.
+  example: Example, Inc.
+  flat_name: threat.indicator.file.x509.subject.organization
+  ignore_above: 1024
   level: extended
-  name: size
-  normalize: []
-  original_fieldset: file
-  short: File size in bytes.
-  type: long
-threat.indicator.file.target_path:
-  dashed_name: threat-indicator-file-target-path
-  description: Target path for symlinks.
-  flat_name: threat.indicator.file.target_path
+  name: subject.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of subject.
+  type: keyword
+threat.indicator.file.x509.subject.organizational_unit:
+  dashed_name: threat-indicator-file-x509-subject-organizational-unit
+  description: List of organizational units (OU) of subject.
+  flat_name: threat.indicator.file.x509.subject.organizational_unit
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: threat.indicator.file.target_path.text
-    name: text
-    type: match_only_text
-  name: target_path
-  normalize: []
-  original_fieldset: file
-  short: Target path for symlinks.
+  name: subject.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of subject.
   type: keyword
-threat.indicator.file.type:
-  dashed_name: threat-indicator-file-type
-  description: File type (file, dir, or symlink).
-  example: file
-  flat_name: threat.indicator.file.type
+threat.indicator.file.x509.subject.state_or_province:
+  dashed_name: threat-indicator-file-x509-subject-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: threat.indicator.file.x509.subject.state_or_province
   ignore_above: 1024
   level: extended
-  name: type
-  normalize: []
-  original_fieldset: file
-  short: File type (file, dir, or symlink).
+  name: subject.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
   type: keyword
-threat.indicator.file.uid:
-  dashed_name: threat-indicator-file-uid
-  description: The user ID (UID) or security identifier (SID) of the file owner.
-  example: '1001'
-  flat_name: threat.indicator.file.uid
+threat.indicator.file.x509.version_number:
+  dashed_name: threat-indicator-file-x509-version-number
+  description: Version of x509 format.
+  example: 3
+  flat_name: threat.indicator.file.x509.version_number
   ignore_above: 1024
   level: extended
-  name: uid
+  name: version_number
   normalize: []
-  original_fieldset: file
-  short: The user ID (UID) or security identifier (SID) of the file owner.
+  original_fieldset: x509
+  short: Version of x509 format.
   type: keyword
 threat.indicator.first_seen:
   dashed_name: threat-indicator-first-seen
@@ -11637,61 +13025,6 @@ threat.indicator.geo.timezone:
   original_fieldset: geo
   short: Time zone.
   type: keyword
-threat.indicator.hash.md5:
-  dashed_name: threat-indicator-hash-md5
-  description: MD5 hash.
-  flat_name: threat.indicator.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-threat.indicator.hash.sha1:
-  dashed_name: threat-indicator-hash-sha1
-  description: SHA1 hash.
-  flat_name: threat.indicator.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-threat.indicator.hash.sha256:
-  dashed_name: threat-indicator-hash-sha256
-  description: SHA256 hash.
-  flat_name: threat.indicator.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-threat.indicator.hash.sha512:
-  dashed_name: threat-indicator-hash-sha512
-  description: SHA512 hash.
-  flat_name: threat.indicator.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-threat.indicator.hash.ssdeep:
-  dashed_name: threat-indicator-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: threat.indicator.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
 threat.indicator.ip:
   dashed_name: threat-indicator-ip
   description: Identifies a threat indicator as an IP address (irrespective of direction).
@@ -11736,94 +13069,6 @@ threat.indicator.modified_at:
   normalize: []
   short: Date/time indicator was last updated.
   type: date
-threat.indicator.pe.architecture:
-  dashed_name: threat-indicator-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: threat.indicator.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-threat.indicator.pe.company:
-  dashed_name: threat-indicator-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: threat.indicator.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-threat.indicator.pe.description:
-  dashed_name: threat-indicator-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: threat.indicator.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-threat.indicator.pe.file_version:
-  dashed_name: threat-indicator-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: threat.indicator.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-threat.indicator.pe.imphash:
-  dashed_name: threat-indicator-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: threat.indicator.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-threat.indicator.pe.original_file_name:
-  dashed_name: threat-indicator-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: threat.indicator.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-threat.indicator.pe.product:
-  dashed_name: threat-indicator-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: "Microsoft\xAE Windows\xAE Operating System"
-  flat_name: threat.indicator.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
 threat.indicator.port:
   dashed_name: threat-indicator-port
   description: Identifies a threat indicator as a port number (irrespective of direction).
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 41cf358d5a..ed8bb8798d 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -804,6 +804,152 @@ cloud:
       normalize: []
       short: Machine type of the host machine.
       type: keyword
+    cloud.origin.account.id:
+      dashed_name: cloud-origin-account-id
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      flat_name: cloud.origin.account.id
+      ignore_above: 1024
+      level: extended
+      name: account.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account or organization id.
+      type: keyword
+    cloud.origin.account.name:
+      dashed_name: cloud-origin-account-name
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      flat_name: cloud.origin.account.name
+      ignore_above: 1024
+      level: extended
+      name: account.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account name.
+      type: keyword
+    cloud.origin.availability_zone:
+      dashed_name: cloud-origin-availability-zone
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      flat_name: cloud.origin.availability_zone
+      ignore_above: 1024
+      level: extended
+      name: availability_zone
+      normalize: []
+      original_fieldset: cloud
+      short: Availability zone in which this host, resource, or service is located.
+      type: keyword
+    cloud.origin.instance.id:
+      dashed_name: cloud-origin-instance-id
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      flat_name: cloud.origin.instance.id
+      ignore_above: 1024
+      level: extended
+      name: instance.id
+      normalize: []
+      original_fieldset: cloud
+      short: Instance ID of the host machine.
+      type: keyword
+    cloud.origin.instance.name:
+      dashed_name: cloud-origin-instance-name
+      description: Instance name of the host machine.
+      flat_name: cloud.origin.instance.name
+      ignore_above: 1024
+      level: extended
+      name: instance.name
+      normalize: []
+      original_fieldset: cloud
+      short: Instance name of the host machine.
+      type: keyword
+    cloud.origin.machine.type:
+      dashed_name: cloud-origin-machine-type
+      description: Machine type of the host machine.
+      example: t2.medium
+      flat_name: cloud.origin.machine.type
+      ignore_above: 1024
+      level: extended
+      name: machine.type
+      normalize: []
+      original_fieldset: cloud
+      short: Machine type of the host machine.
+      type: keyword
+    cloud.origin.project.id:
+      dashed_name: cloud-origin-project-id
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      flat_name: cloud.origin.project.id
+      ignore_above: 1024
+      level: extended
+      name: project.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project id.
+      type: keyword
+    cloud.origin.project.name:
+      dashed_name: cloud-origin-project-name
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      flat_name: cloud.origin.project.name
+      ignore_above: 1024
+      level: extended
+      name: project.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project name.
+      type: keyword
+    cloud.origin.provider:
+      dashed_name: cloud-origin-provider
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      flat_name: cloud.origin.provider
+      ignore_above: 1024
+      level: extended
+      name: provider
+      normalize: []
+      original_fieldset: cloud
+      short: Name of the cloud provider.
+      type: keyword
+    cloud.origin.region:
+      dashed_name: cloud-origin-region
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      flat_name: cloud.origin.region
+      ignore_above: 1024
+      level: extended
+      name: region
+      normalize: []
+      original_fieldset: cloud
+      short: Region in which this host, resource, or service is located.
+      type: keyword
+    cloud.origin.service.name:
+      dashed_name: cloud-origin-service-name
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      flat_name: cloud.origin.service.name
+      ignore_above: 1024
+      level: extended
+      name: service.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud service name.
+      type: keyword
     cloud.project.id:
       dashed_name: cloud-project-id
       description: 'The cloud project identifier.
@@ -868,14 +1014,199 @@ cloud:
       normalize: []
       short: The cloud service name.
       type: keyword
+    cloud.target.account.id:
+      dashed_name: cloud-target-account-id
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      flat_name: cloud.target.account.id
+      ignore_above: 1024
+      level: extended
+      name: account.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account or organization id.
+      type: keyword
+    cloud.target.account.name:
+      dashed_name: cloud-target-account-name
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      flat_name: cloud.target.account.name
+      ignore_above: 1024
+      level: extended
+      name: account.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud account name.
+      type: keyword
+    cloud.target.availability_zone:
+      dashed_name: cloud-target-availability-zone
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      flat_name: cloud.target.availability_zone
+      ignore_above: 1024
+      level: extended
+      name: availability_zone
+      normalize: []
+      original_fieldset: cloud
+      short: Availability zone in which this host, resource, or service is located.
+      type: keyword
+    cloud.target.instance.id:
+      dashed_name: cloud-target-instance-id
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      flat_name: cloud.target.instance.id
+      ignore_above: 1024
+      level: extended
+      name: instance.id
+      normalize: []
+      original_fieldset: cloud
+      short: Instance ID of the host machine.
+      type: keyword
+    cloud.target.instance.name:
+      dashed_name: cloud-target-instance-name
+      description: Instance name of the host machine.
+      flat_name: cloud.target.instance.name
+      ignore_above: 1024
+      level: extended
+      name: instance.name
+      normalize: []
+      original_fieldset: cloud
+      short: Instance name of the host machine.
+      type: keyword
+    cloud.target.machine.type:
+      dashed_name: cloud-target-machine-type
+      description: Machine type of the host machine.
+      example: t2.medium
+      flat_name: cloud.target.machine.type
+      ignore_above: 1024
+      level: extended
+      name: machine.type
+      normalize: []
+      original_fieldset: cloud
+      short: Machine type of the host machine.
+      type: keyword
+    cloud.target.project.id:
+      dashed_name: cloud-target-project-id
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      flat_name: cloud.target.project.id
+      ignore_above: 1024
+      level: extended
+      name: project.id
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project id.
+      type: keyword
+    cloud.target.project.name:
+      dashed_name: cloud-target-project-name
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      flat_name: cloud.target.project.name
+      ignore_above: 1024
+      level: extended
+      name: project.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud project name.
+      type: keyword
+    cloud.target.provider:
+      dashed_name: cloud-target-provider
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      flat_name: cloud.target.provider
+      ignore_above: 1024
+      level: extended
+      name: provider
+      normalize: []
+      original_fieldset: cloud
+      short: Name of the cloud provider.
+      type: keyword
+    cloud.target.region:
+      dashed_name: cloud-target-region
+      description: Region in which this host, resource, or service is located.
+      example: us-east-1
+      flat_name: cloud.target.region
+      ignore_above: 1024
+      level: extended
+      name: region
+      normalize: []
+      original_fieldset: cloud
+      short: Region in which this host, resource, or service is located.
+      type: keyword
+    cloud.target.service.name:
+      dashed_name: cloud-target-service-name
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      flat_name: cloud.target.service.name
+      ignore_above: 1024
+      level: extended
+      name: service.name
+      normalize: []
+      original_fieldset: cloud
+      short: The cloud service name.
+      type: keyword
   footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from
     its host, the cloud info contains the data about this machine. If Metricbeat runs
     on a remote machine outside the cloud and fetches data from a service running
     in the cloud, the field contains cloud data from the machine the service is running
-    on.'
+    on.
+
+    The cloud fields may be self-nested under cloud.origin.* and cloud.target.*  to
+    describe origin or target service''s cloud information in the context of  incoming
+    or outgoing requests, respectively. However, the fieldsets  cloud.origin.* and
+    cloud.target.* must not be confused with the root cloud  fieldset that is used
+    to describe the cloud context of the actual service  under observation. The fieldset
+    cloud.origin.* may only be used in the  context of incoming requests or events
+    to provide the originating service''s  cloud information. The fieldset cloud.target.*
+    may only be used in the  context of outgoing requests or events to describe the
+    target service''s  cloud information.'
   group: 2
   name: cloud
+  nestings:
+  - cloud.origin
+  - cloud.target
   prefix: cloud.
+  reusable:
+    expected:
+    - as: origin
+      at: cloud
+      beta: Reusing the `cloud` fields in this location is currently considered beta.
+      full: cloud.origin
+      short_override: Provides the cloud information of the origin entity in case
+        of an incoming request or event.
+    - as: target
+      at: cloud
+      beta: Reusing the `cloud` fields in this location is currently considered beta.
+      full: cloud.target
+      short_override: Provides the cloud information of the target entity in case
+        of an outgoing request or event.
+    top_level: true
+  reused_here:
+  - beta: Reusing the `cloud` fields in this location is currently considered beta.
+    full: cloud.origin
+    schema_name: cloud
+    short: Provides the cloud information of the origin entity in case of an incoming
+      request or event.
+  - beta: Reusing the `cloud` fields in this location is currently considered beta.
+    full: cloud.target
+    schema_name: cloud
+    short: Provides the cloud information of the target entity in case of an outgoing
+      request or event.
   short: Fields about the cloud resource.
   title: Cloud
   type: group
@@ -1959,15 +2290,15 @@ dll:
   - dll.pe
   prefix: dll.
   reused_here:
-  - full: dll.code_signature
-    schema_name: code_signature
-    short: These fields contain information about binary code signatures.
   - full: dll.hash
     schema_name: hash
     short: Hashes, usually file hashes.
   - full: dll.pe
     schema_name: pe
     short: These fields contain Windows Portable Executable (PE) metadata.
+  - full: dll.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
   short: These fields contain information about code libraries dynamically loaded
     into processes.
   title: DLL
@@ -3487,6 +3818,69 @@ event:
   short: Fields breaking down the event details.
   title: Event
   type: group
+faas:
+  beta: These fields are in beta and are subject to change.
+  description: The user fields describe information about the function as a service
+    that is relevant to the event.
+  fields:
+    faas.coldstart:
+      dashed_name: faas-coldstart
+      description: Boolean value indicating a cold start of a function.
+      flat_name: faas.coldstart
+      level: extended
+      name: coldstart
+      normalize: []
+      short: Boolean value indicating a cold start of a function.
+      type: boolean
+    faas.execution:
+      dashed_name: faas-execution
+      description: The execution ID of the current function execution.
+      example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+      flat_name: faas.execution
+      ignore_above: 1024
+      level: extended
+      name: execution
+      normalize: []
+      short: The execution ID of the current function execution.
+      type: keyword
+    faas.trigger:
+      dashed_name: faas-trigger
+      description: Details about the function trigger.
+      flat_name: faas.trigger
+      level: extended
+      name: trigger
+      normalize: []
+      short: Details about the function trigger.
+      type: nested
+    faas.trigger.request_id:
+      dashed_name: faas-trigger-request-id
+      description: The ID of the trigger request , message, event, etc.
+      example: 123456789
+      flat_name: faas.trigger.request_id
+      ignore_above: 1024
+      level: extended
+      name: trigger.request_id
+      normalize: []
+      short: The ID of the trigger request , message, event, etc.
+      type: keyword
+    faas.trigger.type:
+      dashed_name: faas-trigger-type
+      description: "The trigger for the function execution.\nExpected values are:\n\
+        \  * http\n  * pubsub\n  * datasource\n  * timer\n  * other"
+      example: http
+      flat_name: faas.trigger.type
+      ignore_above: 1024
+      level: extended
+      name: trigger.type
+      normalize: []
+      short: The trigger for the function execution.
+      type: keyword
+  group: 2
+  name: faas
+  prefix: faas.
+  short: Fields describing functions as a service.
+  title: FaaS
+  type: group
 file:
   description: 'A file is defined as a set of information that has been created on,
     or has existed on a filesystem.
@@ -4694,13 +5088,6 @@ file:
       full: threat.enrichments.indicator.file
     top_level: true
   reused_here:
-  - full: file.code_signature
-    schema_name: code_signature
-    short: These fields contain information about binary code signatures.
-  - beta: This field reuse is beta and subject to change.
-    full: file.elf
-    schema_name: elf
-    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
   - full: file.hash
     schema_name: hash
     short: Hashes, usually file hashes.
@@ -4710,6 +5097,13 @@ file:
   - full: file.x509
     schema_name: x509
     short: These fields contain x509 certificate metadata.
+  - full: file.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
+  - beta: This field reuse is beta and subject to change.
+    full: file.elf
+    schema_name: elf
+    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
   short: Fields describing files.
   title: File
   type: group
@@ -5007,13 +5401,6 @@ hash:
     - as: hash
       at: dll
       full: dll.hash
-    - as: hash
-      at: threat.indicator
-      full: threat.indicator.hash
-    - as: hash
-      at: threat.enrichments.indicator
-      beta: Reusing the `hash` fields in this location is currently considered beta.
-      full: threat.enrichments.indicator.hash
     top_level: false
   short: Hashes, usually file hashes.
   title: Hash
@@ -5892,14 +6279,15 @@ network:
   fields:
     network.application:
       dashed_name: network-application
-      description: 'A name given to an application level protocol. This can be arbitrarily
-        assigned for things like microservices, but also apply to things like skype,
-        icq, facebook, twitter. This would be used in situations where the vendor
-        or service can be decoded such as from the source/dest IP owners, ports, or
-        wire format.
-
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+      description: 'When a specific application or service is identified from network
+        connection details (source/dest IPs, ports, certificates, or wire format),
+        this field captures the application''s or service''s name.
+
+        For example, the original event identifies the network connection being from
+        a specific web service in a `https` network connection, like `facebook` or
+        `twitter`.
+
+        The field value must be normalized to lowercase for querying.'
       example: aim
       flat_name: network.application
       ignore_above: 1024
@@ -6045,25 +6433,24 @@ network:
       type: long
     network.protocol:
       dashed_name: network-protocol
-      description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+      description: 'In the OSI Model this would be the Application Layer protocol.
+        For example, `http`, `dns`, or `ssh`.
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: http
       flat_name: network.protocol
       ignore_above: 1024
       level: core
       name: protocol
       normalize: []
-      short: L7 Network protocol name.
+      short: Application protocol name.
       type: keyword
     network.transport:
       dashed_name: network-transport
       description: 'Same as network.iana_number, but instead using the Keyword name
         of the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: tcp
       flat_name: network.transport
       ignore_above: 1024
@@ -6077,8 +6464,7 @@ network:
       description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
         ipsec, pim, etc
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: ipv4
       flat_name: network.type
       ignore_above: 1024
@@ -7216,13 +7602,6 @@ pe:
     - as: pe
       at: process
       full: process.pe
-    - as: pe
-      at: threat.indicator
-      full: threat.indicator.pe
-    - as: pe
-      at: threat.enrichments.indicator
-      beta: Reusing the `pe` fields in this location is currently considered beta.
-      full: threat.enrichments.indicator.pe
     top_level: false
   short: These fields contain Windows Portable Executable (PE) metadata.
   title: PE Header
@@ -8609,18 +8988,6 @@ process:
       original_fieldset: process
       short: Process id.
       type: long
-    process.parent.ppid:
-      dashed_name: process-parent-ppid
-      description: Parent process' pid.
-      example: 4241
-      flat_name: process.parent.ppid
-      format: string
-      level: extended
-      name: ppid
-      normalize: []
-      original_fieldset: process
-      short: Parent process' pid.
-      type: long
     process.parent.start:
       dashed_name: process-parent-start
       description: The time the process started.
@@ -8810,17 +9177,6 @@ process:
       normalize: []
       short: Process id.
       type: long
-    process.ppid:
-      dashed_name: process-ppid
-      description: Parent process' pid.
-      example: 4241
-      flat_name: process.ppid
-      format: string
-      level: extended
-      name: ppid
-      normalize: []
-      short: Parent process' pid.
-      type: long
     process.start:
       dashed_name: process-start
       description: The time the process started.
@@ -8912,6 +9268,12 @@ process:
       short_override: Information about the parent process.
     top_level: true
   reused_here:
+  - full: process.hash
+    schema_name: hash
+    short: Hashes, usually file hashes.
+  - full: process.pe
+    schema_name: pe
+    short: These fields contain Windows Portable Executable (PE) metadata.
   - full: process.code_signature
     schema_name: code_signature
     short: These fields contain information about binary code signatures.
@@ -8919,12 +9281,6 @@ process:
     full: process.elf
     schema_name: elf
     short: These fields contain Linux Executable Linkable Format (ELF) metadata.
-  - full: process.hash
-    schema_name: hash
-    short: Hashes, usually file hashes.
-  - full: process.pe
-    schema_name: pe
-    short: These fields contain Windows Portable Executable (PE) metadata.
   - full: process.parent
     schema_name: process
     short: Information about the parent process.
@@ -9844,18 +10200,128 @@ service:
       normalize: []
       short: Name of the service node.
       type: keyword
-    service.state:
-      dashed_name: service-state
+    service.origin.address:
+      dashed_name: service-origin-address
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      flat_name: service.origin.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: service
+      short: Address of this service.
+      type: keyword
+    service.origin.environment:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-environment
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      flat_name: service.origin.environment
+      ignore_above: 1024
+      level: extended
+      name: environment
+      normalize: []
+      original_fieldset: service
+      short: Environment of the service.
+      type: keyword
+    service.origin.ephemeral_id:
+      dashed_name: service-origin-ephemeral-id
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      flat_name: service.origin.ephemeral_id
+      ignore_above: 1024
+      level: extended
+      name: ephemeral_id
+      normalize: []
+      original_fieldset: service
+      short: Ephemeral identifier of this service.
+      type: keyword
+    service.origin.id:
+      dashed_name: service-origin-id
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      flat_name: service.origin.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: service
+      short: Unique identifier of the running service.
+      type: keyword
+    service.origin.name:
+      dashed_name: service-origin-name
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      flat_name: service.origin.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      original_fieldset: service
+      short: Name of the service.
+      type: keyword
+    service.origin.node.name:
+      dashed_name: service-origin-node-name
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      flat_name: service.origin.node.name
+      ignore_above: 1024
+      level: extended
+      name: node.name
+      normalize: []
+      original_fieldset: service
+      short: Name of the service node.
+      type: keyword
+    service.origin.state:
+      dashed_name: service-origin-state
       description: Current state of the service.
-      flat_name: service.state
+      flat_name: service.origin.state
       ignore_above: 1024
       level: core
       name: state
       normalize: []
+      original_fieldset: service
       short: Current state of the service.
       type: keyword
-    service.type:
-      dashed_name: service-type
+    service.origin.type:
+      dashed_name: service-origin-type
       description: 'The type of the service data is collected from.
 
         The type can be used to group and correlate logs and metrics from one service
@@ -9864,124 +10330,355 @@ service:
         Example: If logs or metrics are collected from Elasticsearch, `service.type`
         would be `elasticsearch`.'
       example: elasticsearch
-      flat_name: service.type
+      flat_name: service.origin.type
       ignore_above: 1024
       level: core
       name: type
       normalize: []
+      original_fieldset: service
       short: The type of the service.
       type: keyword
-    service.version:
-      dashed_name: service-version
+    service.origin.version:
+      dashed_name: service-origin-version
       description: 'Version of the service the data was collected from.
 
         This allows to look at a data set only for a specific version of a service.'
       example: 3.2.4
-      flat_name: service.version
+      flat_name: service.origin.version
       ignore_above: 1024
       level: core
       name: version
       normalize: []
+      original_fieldset: service
       short: Version of the service.
       type: keyword
-  group: 2
-  name: service
-  prefix: service.
-  short: Fields describing the service for or from which the data was collected.
-  title: Service
-  type: group
-source:
-  description: 'Source fields capture details about the sender of a network exchange/packet.
-    These fields are populated from a network event, packet, or other event containing
-    details of a network transaction.
-
-    Source fields are usually populated in conjunction with destination fields. The
-    source and destination fields are considered the baseline and should always be
-    filled if an event contains source and destination details from a network transaction.
-    If the event also contains identification of the client and server roles, then
-    the client and server fields should also be populated.'
-  fields:
-    source.address:
-      dashed_name: source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
+    service.state:
+      dashed_name: service-state
+      description: Current state of the service.
+      flat_name: service.state
+      ignore_above: 1024
+      level: core
+      name: state
+      normalize: []
+      short: Current state of the service.
+      type: keyword
+    service.target.address:
+      dashed_name: service-target-address
+      description: 'Address where data about this service was collected from.
 
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: source.address
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      flat_name: service.target.address
       ignore_above: 1024
       level: extended
       name: address
       normalize: []
-      short: Source network address.
+      original_fieldset: service
+      short: Address of this service.
       type: keyword
-    source.as.number:
-      dashed_name: source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: source.as.number
+    service.target.environment:
+      beta: This field is beta and subject to change.
+      dashed_name: service-target-environment
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      flat_name: service.target.environment
+      ignore_above: 1024
       level: extended
-      name: number
+      name: environment
       normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    source.as.organization.name:
-      dashed_name: source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: source.as.organization.name
+      original_fieldset: service
+      short: Environment of the service.
+      type: keyword
+    service.target.ephemeral_id:
+      dashed_name: service-target-ephemeral-id
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      flat_name: service.target.ephemeral_id
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
+      name: ephemeral_id
       normalize: []
-      original_fieldset: as
-      short: Organization name.
+      original_fieldset: service
+      short: Ephemeral identifier of this service.
       type: keyword
-    source.bytes:
-      dashed_name: source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      short: Bytes sent from the source to the destination.
-      type: long
-    source.domain:
-      dashed_name: source-domain
-      description: Source domain.
-      flat_name: source.domain
+    service.target.id:
+      dashed_name: service-target-id
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      flat_name: service.target.id
       ignore_above: 1024
       level: core
-      name: domain
+      name: id
       normalize: []
-      short: Source domain.
+      original_fieldset: service
+      short: Unique identifier of the running service.
       type: keyword
-    source.geo.city_name:
-      dashed_name: source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: source.geo.city_name
+    service.target.name:
+      dashed_name: service-target-name
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      flat_name: service.target.name
       ignore_above: 1024
       level: core
-      name: city_name
+      name: name
       normalize: []
-      original_fieldset: geo
-      short: City name.
+      original_fieldset: service
+      short: Name of the service.
       type: keyword
-    source.geo.continent_code:
-      dashed_name: source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: source.geo.continent_code
+    service.target.node.name:
+      dashed_name: service-target-node-name
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      flat_name: service.target.node.name
+      ignore_above: 1024
+      level: extended
+      name: node.name
+      normalize: []
+      original_fieldset: service
+      short: Name of the service node.
+      type: keyword
+    service.target.state:
+      dashed_name: service-target-state
+      description: Current state of the service.
+      flat_name: service.target.state
+      ignore_above: 1024
+      level: core
+      name: state
+      normalize: []
+      original_fieldset: service
+      short: Current state of the service.
+      type: keyword
+    service.target.type:
+      dashed_name: service-target-type
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      flat_name: service.target.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      original_fieldset: service
+      short: The type of the service.
+      type: keyword
+    service.target.version:
+      dashed_name: service-target-version
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      flat_name: service.target.version
+      ignore_above: 1024
+      level: core
+      name: version
+      normalize: []
+      original_fieldset: service
+      short: Version of the service.
+      type: keyword
+    service.type:
+      dashed_name: service-type
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      flat_name: service.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: The type of the service.
+      type: keyword
+    service.version:
+      dashed_name: service-version
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      flat_name: service.version
+      ignore_above: 1024
+      level: core
+      name: version
+      normalize: []
+      short: Version of the service.
+      type: keyword
+  footnote: The service fields may be self-nested under service.origin.* and service.target.*  to
+    describe origin or target services in the context of incoming or outgoing requests,  respectively.
+    However, the fieldsets service.origin.* and service.target.* must not be confused
+    with  the root service fieldset that is used to describe the actual service under
+    observation. The fieldset service.origin.* may only be used in the context of
+    incoming requests or  events to describe the originating service of the request.
+    The fieldset service.target.*  may only be used in the context of outgoing requests
+    or events to describe the target  service of the request.
+  group: 2
+  name: service
+  nestings:
+  - service.origin
+  - service.target
+  prefix: service.
+  reusable:
+    expected:
+    - as: origin
+      at: service
+      beta: Reusing the `service` fields in this location is currently considered
+        beta.
+      full: service.origin
+      short_override: Describes the origin service in case of an incoming request
+        or event.
+    - as: target
+      at: service
+      beta: Reusing the `service` fields in this location is currently considered
+        beta.
+      full: service.target
+      short_override: Describes the target service in case of an outgoing request
+        or event.
+    top_level: true
+  reused_here:
+  - beta: Reusing the `service` fields in this location is currently considered beta.
+    full: service.origin
+    schema_name: service
+    short: Describes the origin service in case of an incoming request or event.
+  - beta: Reusing the `service` fields in this location is currently considered beta.
+    full: service.target
+    schema_name: service
+    short: Describes the target service in case of an outgoing request or event.
+  short: Fields describing the service for or from which the data was collected.
+  title: Service
+  type: group
+source:
+  description: 'Source fields capture details about the sender of a network exchange/packet.
+    These fields are populated from a network event, packet, or other event containing
+    details of a network transaction.
+
+    Source fields are usually populated in conjunction with destination fields. The
+    source and destination fields are considered the baseline and should always be
+    filled if an event contains source and destination details from a network transaction.
+    If the event also contains identification of the client and server roles, then
+    the client and server fields should also be populated.'
+  fields:
+    source.address:
+      dashed_name: source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      short: Source network address.
+      type: keyword
+    source.as.number:
+      dashed_name: source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    source.as.organization.name:
+      dashed_name: source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    source.bytes:
+      dashed_name: source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      short: Bytes sent from the source to the destination.
+      type: long
+    source.domain:
+      dashed_name: source-domain
+      description: Source domain.
+      flat_name: source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      short: Source domain.
+      type: keyword
+    source.geo.city_name:
+      dashed_name: source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    source.geo.continent_code:
+      dashed_name: source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: source.geo.continent_code
       ignore_above: 1024
       level: core
       name: continent_code
@@ -10395,7 +11092,8 @@ threat:
       flat_name: threat.enrichments
       level: extended
       name: enrichments
-      normalize: []
+      normalize:
+      - array
       short: List of objects containing indicators enriching the event.
       type: nested
     threat.enrichments.indicator:
@@ -11086,6 +11784,61 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
+    threat.enrichments.indicator.file.hash.md5:
+      dashed_name: threat-enrichments-indicator-file-hash-md5
+      description: MD5 hash.
+      flat_name: threat.enrichments.indicator.file.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.sha1:
+      dashed_name: threat-enrichments-indicator-file-hash-sha1
+      description: SHA1 hash.
+      flat_name: threat.enrichments.indicator.file.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.sha256:
+      dashed_name: threat-enrichments-indicator-file-hash-sha256
+      description: SHA256 hash.
+      flat_name: threat.enrichments.indicator.file.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.sha512:
+      dashed_name: threat-enrichments-indicator-file-hash-sha512
+      description: SHA512 hash.
+      flat_name: threat.enrichments.indicator.file.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    threat.enrichments.indicator.file.hash.ssdeep:
+      dashed_name: threat-enrichments-indicator-file-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: threat.enrichments.indicator.file.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     threat.enrichments.indicator.file.inode:
       dashed_name: threat-enrichments-indicator-file-inode
       description: Inode representing the file in the filesystem.
@@ -11175,28 +11928,116 @@ threat:
       original_fieldset: file
       short: Full path to the file, including the file name.
       type: keyword
-    threat.enrichments.indicator.file.size:
-      dashed_name: threat-enrichments-indicator-file-size
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
-      flat_name: threat.enrichments.indicator.file.size
+    threat.enrichments.indicator.file.pe.architecture:
+      dashed_name: threat-enrichments-indicator-file-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: threat.enrichments.indicator.file.pe.architecture
+      ignore_above: 1024
       level: extended
-      name: size
+      name: architecture
       normalize: []
-      original_fieldset: file
-      short: File size in bytes.
-      type: long
-    threat.enrichments.indicator.file.target_path:
-      dashed_name: threat-enrichments-indicator-file-target-path
-      description: Target path for symlinks.
-      flat_name: threat.enrichments.indicator.file.target_path
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.company:
+      dashed_name: threat-enrichments-indicator-file-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: threat.enrichments.indicator.file.pe.company
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: threat.enrichments.indicator.file.target_path.text
-        name: text
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    threat.enrichments.indicator.file.pe.description:
+      dashed_name: threat-enrichments-indicator-file-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: threat.enrichments.indicator.file.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    threat.enrichments.indicator.file.pe.file_version:
+      dashed_name: threat-enrichments-indicator-file-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: threat.enrichments.indicator.file.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    threat.enrichments.indicator.file.pe.imphash:
+      dashed_name: threat-enrichments-indicator-file-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: threat.enrichments.indicator.file.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    threat.enrichments.indicator.file.pe.original_file_name:
+      dashed_name: threat-enrichments-indicator-file-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: threat.enrichments.indicator.file.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    threat.enrichments.indicator.file.pe.product:
+      dashed_name: threat-enrichments-indicator-file-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: threat.enrichments.indicator.file.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    threat.enrichments.indicator.file.size:
+      dashed_name: threat-enrichments-indicator-file-size
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      flat_name: threat.enrichments.indicator.file.size
+      level: extended
+      name: size
+      normalize: []
+      original_fieldset: file
+      short: File size in bytes.
+      type: long
+    threat.enrichments.indicator.file.target_path:
+      dashed_name: threat-enrichments-indicator-file-target-path
+      description: Target path for symlinks.
+      flat_name: threat.enrichments.indicator.file.target_path
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.enrichments.indicator.file.target_path.text
+        name: text
         type: match_only_text
       name: target_path
       normalize: []
@@ -11227,375 +12068,538 @@ threat:
       original_fieldset: file
       short: The user ID (UID) or security identifier (SID) of the file owner.
       type: keyword
-    threat.enrichments.indicator.first_seen:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-first-seen
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.first_seen
-      level: extended
-      name: enrichments.indicator.first_seen
-      normalize: []
-      short: Date/time indicator was first reported.
-      type: date
-    threat.enrichments.indicator.geo.city_name:
-      dashed_name: threat-enrichments-indicator-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: threat.enrichments.indicator.geo.city_name
+    threat.enrichments.indicator.file.x509.alternative_names:
+      dashed_name: threat-enrichments-indicator-file-x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: threat.enrichments.indicator.file.x509.alternative_names
       ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
+      level: extended
+      name: alternative_names
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of subject alternative names (SAN).
       type: keyword
-    threat.enrichments.indicator.geo.continent_code:
-      dashed_name: threat-enrichments-indicator-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: threat.enrichments.indicator.geo.continent_code
+    threat.enrichments.indicator.file.x509.issuer.common_name:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: threat.enrichments.indicator.file.x509.issuer.common_name
       ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
+      level: extended
+      name: issuer.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common name (CN) of issuing certificate authority.
       type: keyword
-    threat.enrichments.indicator.geo.continent_name:
-      dashed_name: threat-enrichments-indicator-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: threat.enrichments.indicator.geo.continent_name
+    threat.enrichments.indicator.file.x509.issuer.country:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: threat.enrichments.indicator.file.x509.issuer.country
       ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
+      level: extended
+      name: issuer.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) codes
       type: keyword
-    threat.enrichments.indicator.geo.country_iso_code:
-      dashed_name: threat-enrichments-indicator-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: threat.enrichments.indicator.geo.country_iso_code
+    threat.enrichments.indicator.file.x509.issuer.distinguished_name:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: threat.enrichments.indicator.file.x509.issuer.distinguished_name
       ignore_above: 1024
-      level: core
-      name: country_iso_code
+      level: extended
+      name: issuer.distinguished_name
       normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
+      original_fieldset: x509
+      short: Distinguished name (DN) of issuing certificate authority.
       type: keyword
-    threat.enrichments.indicator.geo.country_name:
-      dashed_name: threat-enrichments-indicator-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: threat.enrichments.indicator.geo.country_name
+    threat.enrichments.indicator.file.x509.issuer.locality:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: threat.enrichments.indicator.file.x509.issuer.locality
       ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
+      level: extended
+      name: issuer.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
       type: keyword
-    threat.enrichments.indicator.geo.location:
-      dashed_name: threat-enrichments-indicator-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: threat.enrichments.indicator.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    threat.enrichments.indicator.geo.name:
-      dashed_name: threat-enrichments-indicator-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: threat.enrichments.indicator.geo.name
+    threat.enrichments.indicator.file.x509.issuer.organization:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: threat.enrichments.indicator.file.x509.issuer.organization
       ignore_above: 1024
       level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
+      name: issuer.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of issuing certificate authority.
       type: keyword
-    threat.enrichments.indicator.geo.postal_code:
-      dashed_name: threat-enrichments-indicator-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: threat.enrichments.indicator.geo.postal_code
+    threat.enrichments.indicator.file.x509.issuer.organizational_unit:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: threat.enrichments.indicator.file.x509.issuer.organizational_unit
       ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
+      level: extended
+      name: issuer.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of issuing certificate authority.
       type: keyword
-    threat.enrichments.indicator.geo.region_iso_code:
-      dashed_name: threat-enrichments-indicator-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: threat.enrichments.indicator.geo.region_iso_code
+    threat.enrichments.indicator.file.x509.issuer.state_or_province:
+      dashed_name: threat-enrichments-indicator-file-x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.enrichments.indicator.file.x509.issuer.state_or_province
       ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
+      level: extended
+      name: issuer.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
       type: keyword
-    threat.enrichments.indicator.geo.region_name:
-      dashed_name: threat-enrichments-indicator-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: threat.enrichments.indicator.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    threat.enrichments.indicator.geo.timezone:
-      dashed_name: threat-enrichments-indicator-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: threat.enrichments.indicator.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    threat.enrichments.indicator.hash.md5:
-      dashed_name: threat-enrichments-indicator-hash-md5
-      description: MD5 hash.
-      flat_name: threat.enrichments.indicator.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    threat.enrichments.indicator.hash.sha1:
-      dashed_name: threat-enrichments-indicator-hash-sha1
-      description: SHA1 hash.
-      flat_name: threat.enrichments.indicator.hash.sha1
-      ignore_above: 1024
+    threat.enrichments.indicator.file.x509.not_after:
+      dashed_name: threat-enrichments-indicator-file-x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: threat.enrichments.indicator.file.x509.not_after
       level: extended
-      name: sha1
+      name: not_after
       normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    threat.enrichments.indicator.hash.sha256:
-      dashed_name: threat-enrichments-indicator-hash-sha256
-      description: SHA256 hash.
-      flat_name: threat.enrichments.indicator.hash.sha256
-      ignore_above: 1024
+      original_fieldset: x509
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    threat.enrichments.indicator.file.x509.not_before:
+      dashed_name: threat-enrichments-indicator-file-x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: threat.enrichments.indicator.file.x509.not_before
       level: extended
-      name: sha256
+      name: not_before
       normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    threat.enrichments.indicator.hash.sha512:
-      dashed_name: threat-enrichments-indicator-hash-sha512
-      description: SHA512 hash.
-      flat_name: threat.enrichments.indicator.hash.sha512
+      original_fieldset: x509
+      short: Time at which the certificate is first considered valid.
+      type: date
+    threat.enrichments.indicator.file.x509.public_key_algorithm:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: threat.enrichments.indicator.file.x509.public_key_algorithm
       ignore_above: 1024
       level: extended
-      name: sha512
+      name: public_key_algorithm
       normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
+      original_fieldset: x509
+      short: Algorithm used to generate the public key.
       type: keyword
-    threat.enrichments.indicator.hash.ssdeep:
-      dashed_name: threat-enrichments-indicator-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: threat.enrichments.indicator.hash.ssdeep
+    threat.enrichments.indicator.file.x509.public_key_curve:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: threat.enrichments.indicator.file.x509.public_key_curve
       ignore_above: 1024
       level: extended
-      name: ssdeep
+      name: public_key_curve
       normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
+      original_fieldset: x509
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
       type: keyword
-    threat.enrichments.indicator.ip:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
-      flat_name: threat.enrichments.indicator.ip
+    threat.enrichments.indicator.file.x509.public_key_exponent:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: threat.enrichments.indicator.file.x509.public_key_exponent
+      index: false
       level: extended
-      name: enrichments.indicator.ip
+      name: public_key_exponent
       normalize: []
-      short: Indicator IP address
-      type: ip
-    threat.enrichments.indicator.last_seen:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-last-seen
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.last_seen
+      original_fieldset: x509
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    threat.enrichments.indicator.file.x509.public_key_size:
+      dashed_name: threat-enrichments-indicator-file-x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: threat.enrichments.indicator.file.x509.public_key_size
       level: extended
-      name: enrichments.indicator.last_seen
+      name: public_key_size
       normalize: []
-      short: Date/time indicator was last reported.
-      type: date
-    threat.enrichments.indicator.marking.tlp:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-marking-tlp
-      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
-        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-      example: White
-      flat_name: threat.enrichments.indicator.marking.tlp
+      original_fieldset: x509
+      short: The size of the public key space in bits.
+      type: long
+    threat.enrichments.indicator.file.x509.serial_number:
+      dashed_name: threat-enrichments-indicator-file-x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: threat.enrichments.indicator.file.x509.serial_number
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp
+      name: serial_number
       normalize: []
-      short: Indicator TLP marking
+      original_fieldset: x509
+      short: Unique serial number issued by the certificate authority.
       type: keyword
-    threat.enrichments.indicator.modified_at:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-modified-at
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      flat_name: threat.enrichments.indicator.modified_at
-      level: extended
-      name: enrichments.indicator.modified_at
-      normalize: []
-      short: Date/time indicator was last updated.
-      type: date
-    threat.enrichments.indicator.pe.architecture:
-      dashed_name: threat-enrichments-indicator-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: threat.enrichments.indicator.pe.architecture
+    threat.enrichments.indicator.file.x509.signature_algorithm:
+      dashed_name: threat-enrichments-indicator-file-x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: threat.enrichments.indicator.file.x509.signature_algorithm
       ignore_above: 1024
       level: extended
-      name: architecture
+      name: signature_algorithm
       normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
+      original_fieldset: x509
+      short: Identifier for certificate signature algorithm.
       type: keyword
-    threat.enrichments.indicator.pe.company:
-      dashed_name: threat-enrichments-indicator-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: threat.enrichments.indicator.pe.company
+    threat.enrichments.indicator.file.x509.subject.common_name:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: threat.enrichments.indicator.file.x509.subject.common_name
       ignore_above: 1024
       level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
+      name: subject.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common names (CN) of subject.
       type: keyword
-    threat.enrichments.indicator.pe.description:
-      dashed_name: threat-enrichments-indicator-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: threat.enrichments.indicator.pe.description
+    threat.enrichments.indicator.file.x509.subject.country:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: threat.enrichments.indicator.file.x509.subject.country
       ignore_above: 1024
       level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
+      name: subject.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) code
       type: keyword
-    threat.enrichments.indicator.pe.file_version:
-      dashed_name: threat-enrichments-indicator-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: threat.enrichments.indicator.pe.file_version
+    threat.enrichments.indicator.file.x509.subject.distinguished_name:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: threat.enrichments.indicator.file.x509.subject.distinguished_name
       ignore_above: 1024
       level: extended
-      name: file_version
+      name: subject.distinguished_name
       normalize: []
-      original_fieldset: pe
-      short: Process name.
+      original_fieldset: x509
+      short: Distinguished name (DN) of the certificate subject entity.
       type: keyword
-    threat.enrichments.indicator.pe.imphash:
-      dashed_name: threat-enrichments-indicator-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: threat.enrichments.indicator.pe.imphash
+    threat.enrichments.indicator.file.x509.subject.locality:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: threat.enrichments.indicator.file.x509.subject.locality
       ignore_above: 1024
       level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
+      name: subject.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
       type: keyword
-    threat.enrichments.indicator.pe.original_file_name:
-      dashed_name: threat-enrichments-indicator-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: threat.enrichments.indicator.pe.original_file_name
+    threat.enrichments.indicator.file.x509.subject.organization:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: threat.enrichments.indicator.file.x509.subject.organization
       ignore_above: 1024
       level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
+      name: subject.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of subject.
       type: keyword
-    threat.enrichments.indicator.pe.product:
-      dashed_name: threat-enrichments-indicator-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      flat_name: threat.enrichments.indicator.pe.product
+    threat.enrichments.indicator.file.x509.subject.organizational_unit:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: threat.enrichments.indicator.file.x509.subject.organizational_unit
       ignore_above: 1024
       level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
+      name: subject.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of subject.
       type: keyword
-    threat.enrichments.indicator.port:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-port
-      description: Identifies a threat indicator as a port number (irrespective of
-        direction).
-      example: 443
-      flat_name: threat.enrichments.indicator.port
+    threat.enrichments.indicator.file.x509.subject.state_or_province:
+      dashed_name: threat-enrichments-indicator-file-x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.enrichments.indicator.file.x509.subject.state_or_province
+      ignore_above: 1024
       level: extended
-      name: enrichments.indicator.port
-      normalize: []
-      short: Indicator port
-      type: long
-    threat.enrichments.indicator.provider:
-      beta: This field is beta and subject to change.
-      dashed_name: threat-enrichments-indicator-provider
-      description: The name of the indicator's provider.
-      example: lrz_urlhaus
-      flat_name: threat.enrichments.indicator.provider
+      name: subject.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    threat.enrichments.indicator.file.x509.version_number:
+      dashed_name: threat-enrichments-indicator-file-x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: threat.enrichments.indicator.file.x509.version_number
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.provider
+      name: version_number
       normalize: []
-      short: Indicator provider
+      original_fieldset: x509
+      short: Version of x509 format.
       type: keyword
-    threat.enrichments.indicator.reference:
+    threat.enrichments.indicator.first_seen:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-first-seen
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.first_seen
+      level: extended
+      name: enrichments.indicator.first_seen
+      normalize: []
+      short: Date/time indicator was first reported.
+      type: date
+    threat.enrichments.indicator.geo.city_name:
+      dashed_name: threat-enrichments-indicator-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: threat.enrichments.indicator.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    threat.enrichments.indicator.geo.continent_code:
+      dashed_name: threat-enrichments-indicator-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: threat.enrichments.indicator.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    threat.enrichments.indicator.geo.continent_name:
+      dashed_name: threat-enrichments-indicator-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: threat.enrichments.indicator.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    threat.enrichments.indicator.geo.country_iso_code:
+      dashed_name: threat-enrichments-indicator-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: threat.enrichments.indicator.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    threat.enrichments.indicator.geo.country_name:
+      dashed_name: threat-enrichments-indicator-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: threat.enrichments.indicator.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    threat.enrichments.indicator.geo.location:
+      dashed_name: threat-enrichments-indicator-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: threat.enrichments.indicator.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    threat.enrichments.indicator.geo.name:
+      dashed_name: threat-enrichments-indicator-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: threat.enrichments.indicator.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    threat.enrichments.indicator.geo.postal_code:
+      dashed_name: threat-enrichments-indicator-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: threat.enrichments.indicator.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    threat.enrichments.indicator.geo.region_iso_code:
+      dashed_name: threat-enrichments-indicator-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: threat.enrichments.indicator.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    threat.enrichments.indicator.geo.region_name:
+      dashed_name: threat-enrichments-indicator-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: threat.enrichments.indicator.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    threat.enrichments.indicator.geo.timezone:
+      dashed_name: threat-enrichments-indicator-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: threat.enrichments.indicator.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    threat.enrichments.indicator.ip:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      flat_name: threat.enrichments.indicator.ip
+      level: extended
+      name: enrichments.indicator.ip
+      normalize: []
+      short: Indicator IP address
+      type: ip
+    threat.enrichments.indicator.last_seen:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-last-seen
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.last_seen
+      level: extended
+      name: enrichments.indicator.last_seen
+      normalize: []
+      short: Date/time indicator was last reported.
+      type: date
+    threat.enrichments.indicator.marking.tlp:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-marking-tlp
+      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
+        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+      example: White
+      flat_name: threat.enrichments.indicator.marking.tlp
+      ignore_above: 1024
+      level: extended
+      name: enrichments.indicator.marking.tlp
+      normalize: []
+      short: Indicator TLP marking
+      type: keyword
+    threat.enrichments.indicator.modified_at:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-modified-at
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.enrichments.indicator.modified_at
+      level: extended
+      name: enrichments.indicator.modified_at
+      normalize: []
+      short: Date/time indicator was last updated.
+      type: date
+    threat.enrichments.indicator.port:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-port
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
+      flat_name: threat.enrichments.indicator.port
+      level: extended
+      name: enrichments.indicator.port
+      normalize: []
+      short: Indicator port
+      type: long
+    threat.enrichments.indicator.provider:
+      beta: This field is beta and subject to change.
+      dashed_name: threat-enrichments-indicator-provider
+      description: The name of the indicator's provider.
+      example: lrz_urlhaus
+      flat_name: threat.enrichments.indicator.provider
+      ignore_above: 1024
+      level: extended
+      name: enrichments.indicator.provider
+      normalize: []
+      short: Indicator provider
+      type: keyword
+    threat.enrichments.indicator.reference:
       beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-indicator-reference
       description: Reference URL linking to additional information about this indicator.
@@ -12317,6 +13321,16 @@ threat:
       normalize: []
       short: Matched indicator index
       type: keyword
+    threat.enrichments.matched.occurred:
+      dashed_name: threat-enrichments-matched-occurred
+      description: Indicates when the indicator match was generated
+      example: 2021-10-05 17:00:58.326000+00:00
+      flat_name: threat.enrichments.matched.occurred
+      level: extended
+      name: enrichments.matched.occurred
+      normalize: []
+      short: Date of match
+      type: date
     threat.enrichments.matched.type:
       beta: This field is beta and subject to change.
       dashed_name: threat-enrichments-matched-type
@@ -13072,34 +14086,89 @@ threat:
       original_fieldset: file
       short: Primary group name of the file.
       type: keyword
-    threat.indicator.file.inode:
-      dashed_name: threat-indicator-file-inode
-      description: Inode representing the file in the filesystem.
-      example: '256383'
-      flat_name: threat.indicator.file.inode
+    threat.indicator.file.hash.md5:
+      dashed_name: threat-indicator-file-hash-md5
+      description: MD5 hash.
+      flat_name: threat.indicator.file.hash.md5
       ignore_above: 1024
       level: extended
-      name: inode
+      name: md5
       normalize: []
-      original_fieldset: file
-      short: Inode representing the file in the filesystem.
+      original_fieldset: hash
+      short: MD5 hash.
       type: keyword
-    threat.indicator.file.mime_type:
-      dashed_name: threat-indicator-file-mime-type
-      description: MIME type should identify the format of the file or stream of bytes
-        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
-        official types], where possible. When more than one type is applicable, the
-        most specific type should be used.
-      flat_name: threat.indicator.file.mime_type
+    threat.indicator.file.hash.sha1:
+      dashed_name: threat-indicator-file-hash-sha1
+      description: SHA1 hash.
+      flat_name: threat.indicator.file.hash.sha1
       ignore_above: 1024
       level: extended
-      name: mime_type
+      name: sha1
       normalize: []
-      original_fieldset: file
-      short: Media type of file, document, or arrangement of bytes.
+      original_fieldset: hash
+      short: SHA1 hash.
       type: keyword
-    threat.indicator.file.mode:
-      dashed_name: threat-indicator-file-mode
+    threat.indicator.file.hash.sha256:
+      dashed_name: threat-indicator-file-hash-sha256
+      description: SHA256 hash.
+      flat_name: threat.indicator.file.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    threat.indicator.file.hash.sha512:
+      dashed_name: threat-indicator-file-hash-sha512
+      description: SHA512 hash.
+      flat_name: threat.indicator.file.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    threat.indicator.file.hash.ssdeep:
+      dashed_name: threat-indicator-file-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: threat.indicator.file.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    threat.indicator.file.inode:
+      dashed_name: threat-indicator-file-inode
+      description: Inode representing the file in the filesystem.
+      example: '256383'
+      flat_name: threat.indicator.file.inode
+      ignore_above: 1024
+      level: extended
+      name: inode
+      normalize: []
+      original_fieldset: file
+      short: Inode representing the file in the filesystem.
+      type: keyword
+    threat.indicator.file.mime_type:
+      dashed_name: threat-indicator-file-mime-type
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
+      flat_name: threat.indicator.file.mime_type
+      ignore_above: 1024
+      level: extended
+      name: mime_type
+      normalize: []
+      original_fieldset: file
+      short: Media type of file, document, or arrangement of bytes.
+      type: keyword
+    threat.indicator.file.mode:
+      dashed_name: threat-indicator-file-mode
       description: Mode of the file in octal representation.
       example: '0640'
       flat_name: threat.indicator.file.mode
@@ -13127,91 +14196,485 @@ threat:
       flat_name: threat.indicator.file.name
       ignore_above: 1024
       level: extended
-      name: name
-      normalize: []
-      original_fieldset: file
-      short: Name of the file including the extension, without the directory.
+      name: name
+      normalize: []
+      original_fieldset: file
+      short: Name of the file including the extension, without the directory.
+      type: keyword
+    threat.indicator.file.owner:
+      dashed_name: threat-indicator-file-owner
+      description: File owner's username.
+      example: alice
+      flat_name: threat.indicator.file.owner
+      ignore_above: 1024
+      level: extended
+      name: owner
+      normalize: []
+      original_fieldset: file
+      short: File owner's username.
+      type: keyword
+    threat.indicator.file.path:
+      dashed_name: threat-indicator-file-path
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
+      flat_name: threat.indicator.file.path
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.indicator.file.path.text
+        name: text
+        type: match_only_text
+      name: path
+      normalize: []
+      original_fieldset: file
+      short: Full path to the file, including the file name.
+      type: keyword
+    threat.indicator.file.pe.architecture:
+      dashed_name: threat-indicator-file-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: threat.indicator.file.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    threat.indicator.file.pe.company:
+      dashed_name: threat-indicator-file-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: threat.indicator.file.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.file.pe.description:
+      dashed_name: threat-indicator-file-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: threat.indicator.file.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.file.pe.file_version:
+      dashed_name: threat-indicator-file-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: threat.indicator.file.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    threat.indicator.file.pe.imphash:
+      dashed_name: threat-indicator-file-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: threat.indicator.file.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    threat.indicator.file.pe.original_file_name:
+      dashed_name: threat-indicator-file-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: threat.indicator.file.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.file.pe.product:
+      dashed_name: threat-indicator-file-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: threat.indicator.file.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.file.size:
+      dashed_name: threat-indicator-file-size
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      flat_name: threat.indicator.file.size
+      level: extended
+      name: size
+      normalize: []
+      original_fieldset: file
+      short: File size in bytes.
+      type: long
+    threat.indicator.file.target_path:
+      dashed_name: threat-indicator-file-target-path
+      description: Target path for symlinks.
+      flat_name: threat.indicator.file.target_path
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.indicator.file.target_path.text
+        name: text
+        type: match_only_text
+      name: target_path
+      normalize: []
+      original_fieldset: file
+      short: Target path for symlinks.
+      type: keyword
+    threat.indicator.file.type:
+      dashed_name: threat-indicator-file-type
+      description: File type (file, dir, or symlink).
+      example: file
+      flat_name: threat.indicator.file.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: file
+      short: File type (file, dir, or symlink).
+      type: keyword
+    threat.indicator.file.uid:
+      dashed_name: threat-indicator-file-uid
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      flat_name: threat.indicator.file.uid
+      ignore_above: 1024
+      level: extended
+      name: uid
+      normalize: []
+      original_fieldset: file
+      short: The user ID (UID) or security identifier (SID) of the file owner.
+      type: keyword
+    threat.indicator.file.x509.alternative_names:
+      dashed_name: threat-indicator-file-x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: threat.indicator.file.x509.alternative_names
+      ignore_above: 1024
+      level: extended
+      name: alternative_names
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of subject alternative names (SAN).
+      type: keyword
+    threat.indicator.file.x509.issuer.common_name:
+      dashed_name: threat-indicator-file-x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: threat.indicator.file.x509.issuer.common_name
+      ignore_above: 1024
+      level: extended
+      name: issuer.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common name (CN) of issuing certificate authority.
+      type: keyword
+    threat.indicator.file.x509.issuer.country:
+      dashed_name: threat-indicator-file-x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: threat.indicator.file.x509.issuer.country
+      ignore_above: 1024
+      level: extended
+      name: issuer.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) codes
+      type: keyword
+    threat.indicator.file.x509.issuer.distinguished_name:
+      dashed_name: threat-indicator-file-x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: threat.indicator.file.x509.issuer.distinguished_name
+      ignore_above: 1024
+      level: extended
+      name: issuer.distinguished_name
+      normalize: []
+      original_fieldset: x509
+      short: Distinguished name (DN) of issuing certificate authority.
+      type: keyword
+    threat.indicator.file.x509.issuer.locality:
+      dashed_name: threat-indicator-file-x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: threat.indicator.file.x509.issuer.locality
+      ignore_above: 1024
+      level: extended
+      name: issuer.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    threat.indicator.file.x509.issuer.organization:
+      dashed_name: threat-indicator-file-x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: threat.indicator.file.x509.issuer.organization
+      ignore_above: 1024
+      level: extended
+      name: issuer.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of issuing certificate authority.
+      type: keyword
+    threat.indicator.file.x509.issuer.organizational_unit:
+      dashed_name: threat-indicator-file-x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: threat.indicator.file.x509.issuer.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: issuer.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of issuing certificate authority.
+      type: keyword
+    threat.indicator.file.x509.issuer.state_or_province:
+      dashed_name: threat-indicator-file-x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.indicator.file.x509.issuer.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: issuer.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    threat.indicator.file.x509.not_after:
+      dashed_name: threat-indicator-file-x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: threat.indicator.file.x509.not_after
+      level: extended
+      name: not_after
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    threat.indicator.file.x509.not_before:
+      dashed_name: threat-indicator-file-x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: threat.indicator.file.x509.not_before
+      level: extended
+      name: not_before
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is first considered valid.
+      type: date
+    threat.indicator.file.x509.public_key_algorithm:
+      dashed_name: threat-indicator-file-x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: threat.indicator.file.x509.public_key_algorithm
+      ignore_above: 1024
+      level: extended
+      name: public_key_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Algorithm used to generate the public key.
+      type: keyword
+    threat.indicator.file.x509.public_key_curve:
+      dashed_name: threat-indicator-file-x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: threat.indicator.file.x509.public_key_curve
+      ignore_above: 1024
+      level: extended
+      name: public_key_curve
+      normalize: []
+      original_fieldset: x509
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
+      type: keyword
+    threat.indicator.file.x509.public_key_exponent:
+      dashed_name: threat-indicator-file-x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: threat.indicator.file.x509.public_key_exponent
+      index: false
+      level: extended
+      name: public_key_exponent
+      normalize: []
+      original_fieldset: x509
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    threat.indicator.file.x509.public_key_size:
+      dashed_name: threat-indicator-file-x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: threat.indicator.file.x509.public_key_size
+      level: extended
+      name: public_key_size
+      normalize: []
+      original_fieldset: x509
+      short: The size of the public key space in bits.
+      type: long
+    threat.indicator.file.x509.serial_number:
+      dashed_name: threat-indicator-file-x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: threat.indicator.file.x509.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      original_fieldset: x509
+      short: Unique serial number issued by the certificate authority.
+      type: keyword
+    threat.indicator.file.x509.signature_algorithm:
+      dashed_name: threat-indicator-file-x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: threat.indicator.file.x509.signature_algorithm
+      ignore_above: 1024
+      level: extended
+      name: signature_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Identifier for certificate signature algorithm.
+      type: keyword
+    threat.indicator.file.x509.subject.common_name:
+      dashed_name: threat-indicator-file-x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: threat.indicator.file.x509.subject.common_name
+      ignore_above: 1024
+      level: extended
+      name: subject.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common names (CN) of subject.
       type: keyword
-    threat.indicator.file.owner:
-      dashed_name: threat-indicator-file-owner
-      description: File owner's username.
-      example: alice
-      flat_name: threat.indicator.file.owner
+    threat.indicator.file.x509.subject.country:
+      dashed_name: threat-indicator-file-x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: threat.indicator.file.x509.subject.country
       ignore_above: 1024
       level: extended
-      name: owner
-      normalize: []
-      original_fieldset: file
-      short: File owner's username.
+      name: subject.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) code
       type: keyword
-    threat.indicator.file.path:
-      dashed_name: threat-indicator-file-path
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
-      flat_name: threat.indicator.file.path
+    threat.indicator.file.x509.subject.distinguished_name:
+      dashed_name: threat-indicator-file-x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: threat.indicator.file.x509.subject.distinguished_name
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: threat.indicator.file.path.text
-        name: text
-        type: match_only_text
-      name: path
+      name: subject.distinguished_name
       normalize: []
-      original_fieldset: file
-      short: Full path to the file, including the file name.
+      original_fieldset: x509
+      short: Distinguished name (DN) of the certificate subject entity.
       type: keyword
-    threat.indicator.file.size:
-      dashed_name: threat-indicator-file-size
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
-      flat_name: threat.indicator.file.size
+    threat.indicator.file.x509.subject.locality:
+      dashed_name: threat-indicator-file-x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: threat.indicator.file.x509.subject.locality
+      ignore_above: 1024
       level: extended
-      name: size
-      normalize: []
-      original_fieldset: file
-      short: File size in bytes.
-      type: long
-    threat.indicator.file.target_path:
-      dashed_name: threat-indicator-file-target-path
-      description: Target path for symlinks.
-      flat_name: threat.indicator.file.target_path
+      name: subject.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    threat.indicator.file.x509.subject.organization:
+      dashed_name: threat-indicator-file-x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: threat.indicator.file.x509.subject.organization
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: threat.indicator.file.target_path.text
-        name: text
-        type: match_only_text
-      name: target_path
-      normalize: []
-      original_fieldset: file
-      short: Target path for symlinks.
+      name: subject.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of subject.
       type: keyword
-    threat.indicator.file.type:
-      dashed_name: threat-indicator-file-type
-      description: File type (file, dir, or symlink).
-      example: file
-      flat_name: threat.indicator.file.type
+    threat.indicator.file.x509.subject.organizational_unit:
+      dashed_name: threat-indicator-file-x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: threat.indicator.file.x509.subject.organizational_unit
       ignore_above: 1024
       level: extended
-      name: type
-      normalize: []
-      original_fieldset: file
-      short: File type (file, dir, or symlink).
+      name: subject.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of subject.
       type: keyword
-    threat.indicator.file.uid:
-      dashed_name: threat-indicator-file-uid
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
-      flat_name: threat.indicator.file.uid
+    threat.indicator.file.x509.subject.state_or_province:
+      dashed_name: threat-indicator-file-x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: threat.indicator.file.x509.subject.state_or_province
       ignore_above: 1024
       level: extended
-      name: uid
+      name: subject.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    threat.indicator.file.x509.version_number:
+      dashed_name: threat-indicator-file-x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: threat.indicator.file.x509.version_number
+      ignore_above: 1024
+      level: extended
+      name: version_number
       normalize: []
-      original_fieldset: file
-      short: The user ID (UID) or security identifier (SID) of the file owner.
+      original_fieldset: x509
+      short: Version of x509 format.
       type: keyword
     threat.indicator.first_seen:
       dashed_name: threat-indicator-first-seen
@@ -13364,61 +14827,6 @@ threat:
       original_fieldset: geo
       short: Time zone.
       type: keyword
-    threat.indicator.hash.md5:
-      dashed_name: threat-indicator-hash-md5
-      description: MD5 hash.
-      flat_name: threat.indicator.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    threat.indicator.hash.sha1:
-      dashed_name: threat-indicator-hash-sha1
-      description: SHA1 hash.
-      flat_name: threat.indicator.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    threat.indicator.hash.sha256:
-      dashed_name: threat-indicator-hash-sha256
-      description: SHA256 hash.
-      flat_name: threat.indicator.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    threat.indicator.hash.sha512:
-      dashed_name: threat-indicator-hash-sha512
-      description: SHA512 hash.
-      flat_name: threat.indicator.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    threat.indicator.hash.ssdeep:
-      dashed_name: threat-indicator-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: threat.indicator.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
     threat.indicator.ip:
       dashed_name: threat-indicator-ip
       description: Identifies a threat indicator as an IP address (irrespective of
@@ -13464,94 +14872,6 @@ threat:
       normalize: []
       short: Date/time indicator was last updated.
       type: date
-    threat.indicator.pe.architecture:
-      dashed_name: threat-indicator-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: threat.indicator.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    threat.indicator.pe.company:
-      dashed_name: threat-indicator-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: threat.indicator.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    threat.indicator.pe.description:
-      dashed_name: threat-indicator-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: threat.indicator.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    threat.indicator.pe.file_version:
-      dashed_name: threat-indicator-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: threat.indicator.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    threat.indicator.pe.imphash:
-      dashed_name: threat-indicator-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: threat.indicator.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    threat.indicator.pe.original_file_name:
-      dashed_name: threat-indicator-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: threat.indicator.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    threat.indicator.pe.product:
-      dashed_name: threat-indicator-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
-      flat_name: threat.indicator.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
     threat.indicator.port:
       dashed_name: threat-indicator-port
       description: Identifies a threat indicator as a port number (irrespective of
@@ -14456,21 +15776,24 @@ threat:
   - threat.enrichments.indicator.as
   - threat.enrichments.indicator.file
   - threat.enrichments.indicator.geo
-  - threat.enrichments.indicator.hash
-  - threat.enrichments.indicator.pe
   - threat.enrichments.indicator.registry
   - threat.enrichments.indicator.url
   - threat.enrichments.indicator.x509
   - threat.indicator.as
   - threat.indicator.file
   - threat.indicator.geo
-  - threat.indicator.hash
-  - threat.indicator.pe
   - threat.indicator.registry
   - threat.indicator.url
   - threat.indicator.x509
   prefix: threat.
   reused_here:
+  - full: threat.indicator.x509
+    schema_name: x509
+    short: These fields contain x509 certificate metadata.
+  - beta: Reusing the `x509` fields in this location is currently considered beta.
+    full: threat.enrichments.indicator.x509
+    schema_name: x509
+    short: These fields contain x509 certificate metadata.
   - full: threat.indicator.as
     schema_name: as
     short: Fields describing an Autonomous System (Internet routing prefix).
@@ -14492,20 +15815,6 @@ threat:
     full: threat.enrichments.indicator.geo
     schema_name: geo
     short: Fields describing a location.
-  - full: threat.indicator.hash
-    schema_name: hash
-    short: Hashes, usually file hashes.
-  - beta: Reusing the `hash` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.hash
-    schema_name: hash
-    short: Hashes, usually file hashes.
-  - full: threat.indicator.pe
-    schema_name: pe
-    short: These fields contain Windows Portable Executable (PE) metadata.
-  - beta: Reusing the `pe` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.pe
-    schema_name: pe
-    short: These fields contain Windows Portable Executable (PE) metadata.
   - full: threat.indicator.registry
     schema_name: registry
     short: Fields related to Windows Registry operations.
@@ -14520,13 +15829,6 @@ threat:
     full: threat.enrichments.indicator.url
     schema_name: url
     short: Fields that let you store URLs in various forms.
-  - full: threat.indicator.x509
-    schema_name: x509
-    short: These fields contain x509 certificate metadata.
-  - beta: Reusing the `x509` fields in this location is currently considered beta.
-    full: threat.enrichments.indicator.x509
-    schema_name: x509
-    short: These fields contain x509 certificate metadata.
   short: Fields to classify events and alerts according to a threat taxonomy.
   title: Threat
   type: group
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 7a119fed0b..6f2d276ee7 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -5,7 +5,7 @@
   "mappings": {
     "_doc": {
       "_meta": {
-        "version": "8.0.0-dev"
+        "version": "8.1.0-dev"
       },
       "date_detection": false,
       "dynamic_templates": [
@@ -271,6 +271,74 @@
                 }
               }
             },
+            "origin": {
+              "properties": {
+                "account": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "availability_zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "instance": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "machine": {
+                  "properties": {
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "project": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "service": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
             "project": {
               "properties": {
                 "id": {
@@ -298,6 +366,74 @@
                   "type": "keyword"
                 }
               }
+            },
+            "target": {
+              "properties": {
+                "account": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "availability_zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "instance": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "machine": {
+                  "properties": {
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "project": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "service": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
             }
           }
         },
@@ -849,6 +985,30 @@
             }
           }
         },
+        "faas": {
+          "properties": {
+            "coldstart": {
+              "type": "boolean"
+            },
+            "execution": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "trigger": {
+              "properties": {
+                "request_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "nested"
+            }
+          }
+        },
         "file": {
           "properties": {
             "accessed": {
@@ -930,7 +1090,7 @@
                   "type": "date"
                 },
                 "exports": {
-                  "type": "flattened"
+                  "type": "object"
                 },
                 "header": {
                   "properties": {
@@ -968,7 +1128,7 @@
                   }
                 },
                 "imports": {
-                  "type": "flattened"
+                  "type": "object"
                 },
                 "sections": {
                   "properties": {
@@ -2084,7 +2244,7 @@
                   "type": "date"
                 },
                 "exports": {
-                  "type": "flattened"
+                  "type": "object"
                 },
                 "header": {
                   "properties": {
@@ -2122,7 +2282,7 @@
                   }
                 },
                 "imports": {
-                  "type": "flattened"
+                  "type": "object"
                 },
                 "sections": {
                   "properties": {
@@ -2310,7 +2470,7 @@
                       "type": "date"
                     },
                     "exports": {
-                      "type": "flattened"
+                      "type": "object"
                     },
                     "header": {
                       "properties": {
@@ -2348,7 +2508,7 @@
                       }
                     },
                     "imports": {
-                      "type": "flattened"
+                      "type": "object"
                     },
                     "sections": {
                       "properties": {
@@ -2501,9 +2661,6 @@
                 "pid": {
                   "type": "long"
                 },
-                "ppid": {
-                  "type": "long"
-                },
                 "start": {
                   "type": "date"
                 },
@@ -2581,9 +2738,6 @@
             "pid": {
               "type": "long"
             },
-            "ppid": {
-              "type": "long"
-            },
             "start": {
               "type": "date"
             },
@@ -2930,10 +3084,98 @@
                 }
               }
             },
+            "origin": {
+              "properties": {
+                "address": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "environment": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ephemeral_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "node": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "state": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "state": {
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "target": {
+              "properties": {
+                "address": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "environment": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ephemeral_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "node": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "state": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "type": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -3258,7 +3500,7 @@
                               "type": "date"
                             },
                             "exports": {
-                              "type": "flattened"
+                              "type": "object"
                             },
                             "header": {
                               "properties": {
@@ -3296,7 +3538,7 @@
                               }
                             },
                             "imports": {
-                              "type": "flattened"
+                              "type": "object"
                             },
                             "sections": {
                               "properties": {
@@ -3373,6 +3615,30 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "hash": {
+                          "properties": {
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha1": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha512": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "ssdeep": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
                         "inode": {
                           "ignore_above": 1024,
                           "type": "keyword"
@@ -3406,17 +3672,49 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "size": {
-                          "type": "long"
-                        },
-                        "target_path": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
+                        "pe": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "company": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "description": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "file_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imphash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "original_file_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "product": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "size": {
+                          "type": "long"
+                        },
+                        "target_path": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
                           "type": "keyword"
                         },
                         "type": {
@@ -3426,6 +3724,112 @@
                         "uid": {
                           "ignore_above": 1024,
                           "type": "keyword"
+                        },
+                        "x509": {
+                          "properties": {
+                            "alternative_names": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "issuer": {
+                              "properties": {
+                                "common_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "distinguished_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "locality": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organization": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organizational_unit": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "state_or_province": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "not_after": {
+                              "type": "date"
+                            },
+                            "not_before": {
+                              "type": "date"
+                            },
+                            "public_key_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "public_key_curve": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "public_key_exponent": {
+                              "doc_values": false,
+                              "index": false,
+                              "type": "long"
+                            },
+                            "public_key_size": {
+                              "type": "long"
+                            },
+                            "serial_number": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "signature_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subject": {
+                              "properties": {
+                                "common_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "distinguished_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "locality": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organization": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organizational_unit": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "state_or_province": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "version_number": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         }
                       }
                     },
@@ -3479,30 +3883,6 @@
                         }
                       }
                     },
-                    "hash": {
-                      "properties": {
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
                     "ip": {
                       "type": "ip"
                     },
@@ -3520,38 +3900,6 @@
                     "modified_at": {
                       "type": "date"
                     },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
                     "port": {
                       "type": "long"
                     },
@@ -3807,6 +4155,9 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "occurred": {
+                      "type": "date"
+                    },
                     "type": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -3960,7 +4311,7 @@
                           "type": "date"
                         },
                         "exports": {
-                          "type": "flattened"
+                          "type": "object"
                         },
                         "header": {
                           "properties": {
@@ -3998,7 +4349,7 @@
                           }
                         },
                         "imports": {
-                          "type": "flattened"
+                          "type": "object"
                         },
                         "sections": {
                           "properties": {
@@ -4075,6 +4426,30 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "hash": {
+                      "properties": {
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "inode": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -4108,6 +4483,38 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "pe": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "company": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "size": {
                       "type": "long"
                     },
@@ -4128,6 +4535,112 @@
                     "uid": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "x509": {
+                      "properties": {
+                        "alternative_names": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "issuer": {
+                          "properties": {
+                            "common_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "distinguished_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "locality": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organization": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organizational_unit": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "state_or_province": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "not_after": {
+                          "type": "date"
+                        },
+                        "not_before": {
+                          "type": "date"
+                        },
+                        "public_key_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "public_key_curve": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "public_key_exponent": {
+                          "doc_values": false,
+                          "index": false,
+                          "type": "long"
+                        },
+                        "public_key_size": {
+                          "type": "long"
+                        },
+                        "serial_number": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "signature_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subject": {
+                          "properties": {
+                            "common_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "distinguished_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "locality": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organization": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organizational_unit": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "state_or_province": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "version_number": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     }
                   }
                 },
@@ -4181,30 +4694,6 @@
                     }
                   }
                 },
-                "hash": {
-                  "properties": {
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "ip": {
                   "type": "ip"
                 },
@@ -4222,38 +4711,6 @@
                 "modified_at": {
                   "type": "date"
                 },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "port": {
                   "type": "long"
                 },
@@ -5404,4 +5861,4 @@
       "refresh_interval": "5s"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 663d0d531b..965a37ad09 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "8.0.0-dev"
+      "version": "8.1.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
@@ -267,6 +267,74 @@
               }
             }
           },
+          "origin": {
+            "properties": {
+              "account": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "availability_zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "instance": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "machine": {
+                "properties": {
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "project": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "service": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
           "project": {
             "properties": {
               "id": {
@@ -294,6 +362,74 @@
                 "type": "keyword"
               }
             }
+          },
+          "target": {
+            "properties": {
+              "account": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "availability_zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "instance": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "machine": {
+                "properties": {
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "project": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "service": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
           }
         }
       },
@@ -834,6 +970,30 @@
           }
         }
       },
+      "faas": {
+        "properties": {
+          "coldstart": {
+            "type": "boolean"
+          },
+          "execution": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "trigger": {
+            "properties": {
+              "request_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "nested"
+          }
+        }
+      },
       "file": {
         "properties": {
           "accessed": {
@@ -2466,9 +2626,6 @@
               "pid": {
                 "type": "long"
               },
-              "ppid": {
-                "type": "long"
-              },
               "start": {
                 "type": "date"
               },
@@ -2544,9 +2701,6 @@
           "pid": {
             "type": "long"
           },
-          "ppid": {
-            "type": "long"
-          },
           "start": {
             "type": "date"
           },
@@ -2887,10 +3041,98 @@
               }
             }
           },
+          "origin": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "environment": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ephemeral_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "node": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "state": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "state": {
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "target": {
+            "properties": {
+              "address": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "environment": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ephemeral_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "node": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "state": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "type": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3326,6 +3568,30 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
+                      "hash": {
+                        "properties": {
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha1": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha512": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "ssdeep": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
                       "inode": {
                         "ignore_above": 1024,
                         "type": "keyword"
@@ -3358,25 +3624,163 @@
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "size": {
-                        "type": "long"
-                      },
-                      "target_path": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "pe": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "company": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "description": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "file_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imphash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "original_file_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "product": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "size": {
+                        "type": "long"
+                      },
+                      "target_path": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
                       "uid": {
                         "ignore_above": 1024,
                         "type": "keyword"
+                      },
+                      "x509": {
+                        "properties": {
+                          "alternative_names": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "issuer": {
+                            "properties": {
+                              "common_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "distinguished_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "locality": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organization": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organizational_unit": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "state_or_province": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "not_after": {
+                            "type": "date"
+                          },
+                          "not_before": {
+                            "type": "date"
+                          },
+                          "public_key_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "public_key_curve": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "public_key_exponent": {
+                            "doc_values": false,
+                            "index": false,
+                            "type": "long"
+                          },
+                          "public_key_size": {
+                            "type": "long"
+                          },
+                          "serial_number": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "signature_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject": {
+                            "properties": {
+                              "common_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "distinguished_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "locality": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organization": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "organizational_unit": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "state_or_province": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "version_number": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
                       }
                     }
                   },
@@ -3430,30 +3834,6 @@
                       }
                     }
                   },
-                  "hash": {
-                    "properties": {
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
                   "ip": {
                     "type": "ip"
                   },
@@ -3471,38 +3851,6 @@
                   "modified_at": {
                     "type": "date"
                   },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
                   "port": {
                     "type": "long"
                   },
@@ -3752,6 +4100,9 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "occurred": {
+                    "type": "date"
+                  },
                   "type": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4019,6 +4370,30 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "hash": {
+                    "properties": {
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "inode": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4051,6 +4426,38 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "size": {
                     "type": "long"
                   },
@@ -4070,6 +4477,112 @@
                   "uid": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "x509": {
+                    "properties": {
+                      "alternative_names": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "issuer": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "not_after": {
+                        "type": "date"
+                      },
+                      "not_before": {
+                        "type": "date"
+                      },
+                      "public_key_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_curve": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "public_key_exponent": {
+                        "doc_values": false,
+                        "index": false,
+                        "type": "long"
+                      },
+                      "public_key_size": {
+                        "type": "long"
+                      },
+                      "serial_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signature_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject": {
+                        "properties": {
+                          "common_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "distinguished_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "locality": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organization": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "organizational_unit": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "state_or_province": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "version_number": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
                   }
                 }
               },
@@ -4123,30 +4636,6 @@
                   }
                 }
               },
-              "hash": {
-                "properties": {
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "ip": {
                 "type": "ip"
               },
@@ -4164,38 +4653,6 @@
               "modified_at": {
                 "type": "date"
               },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "port": {
                 "type": "long"
               },
@@ -5320,4 +5777,4 @@
       "refresh_interval": "5s"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json
index 0dcc58cfc5..acc1f4e02d 100644
--- a/generated/elasticsearch/component/agent.json
+++ b/generated/elasticsearch/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -41,4 +41,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/base.json b/generated/elasticsearch/component/base.json
index 16c6512173..6977fe2ef1 100644
--- a/generated/elasticsearch/component/base.json
+++ b/generated/elasticsearch/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -22,4 +22,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json
index 7ab85988d7..631d4c72b6 100644
--- a/generated/elasticsearch/component/client.json
+++ b/generated/elasticsearch/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json
index e2b642249a..e8a99f26b0 100644
--- a/generated/elasticsearch/component/cloud.json
+++ b/generated/elasticsearch/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -44,6 +44,74 @@
                 }
               }
             },
+            "origin": {
+              "properties": {
+                "account": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "availability_zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "instance": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "machine": {
+                  "properties": {
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "project": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "service": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
             "project": {
               "properties": {
                 "id": {
@@ -71,10 +139,78 @@
                   "type": "keyword"
                 }
               }
+            },
+            "target": {
+              "properties": {
+                "account": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "availability_zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "instance": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "machine": {
+                  "properties": {
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "project": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "service": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
             }
           }
         }
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/container.json b/generated/elasticsearch/component/container.json
index 1cbf198696..0099b95189 100644
--- a/generated/elasticsearch/component/container.json
+++ b/generated/elasticsearch/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -40,4 +40,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/data_stream.json b/generated/elasticsearch/component/data_stream.json
index 722ef998ee..86fadf391b 100644
--- a/generated/elasticsearch/component/data_stream.json
+++ b/generated/elasticsearch/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -22,4 +22,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json
index ce1429fa45..167a7c9283 100644
--- a/generated/elasticsearch/component/destination.json
+++ b/generated/elasticsearch/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
index 77024d20b8..19dc57d088 100644
--- a/generated/elasticsearch/component/dll.json
+++ b/generated/elasticsearch/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -113,4 +113,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json
index e005766e3b..d8a1cd4f63 100644
--- a/generated/elasticsearch/component/dns.json
+++ b/generated/elasticsearch/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -88,4 +88,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/ecs.json b/generated/elasticsearch/component/ecs.json
index 633b681618..768af61813 100644
--- a/generated/elasticsearch/component/ecs.json
+++ b/generated/elasticsearch/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -17,4 +17,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json
index 17c4e94d93..89a74a9450 100644
--- a/generated/elasticsearch/component/error.json
+++ b/generated/elasticsearch/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -36,4 +36,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/event.json b/generated/elasticsearch/component/event.json
index 92575ff410..beea37bd2d 100644
--- a/generated/elasticsearch/component/event.json
+++ b/generated/elasticsearch/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -109,4 +109,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/faas.json b/generated/elasticsearch/component/faas.json
new file mode 100644
index 0000000000..4adbb1d80d
--- /dev/null
+++ b/generated/elasticsearch/component/faas.json
@@ -0,0 +1,36 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html",
+    "ecs_version": "8.1.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "faas": {
+          "properties": {
+            "coldstart": {
+              "type": "boolean"
+            },
+            "execution": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "trigger": {
+              "properties": {
+                "request_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "nested"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
index 89eb5e3239..dc2d0c39f4 100644
--- a/generated/elasticsearch/component/file.json
+++ b/generated/elasticsearch/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -421,4 +421,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/group.json b/generated/elasticsearch/component/group.json
index 7bafdb8d79..be5e61904c 100644
--- a/generated/elasticsearch/component/group.json
+++ b/generated/elasticsearch/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -25,4 +25,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
index 8dd914dda1..f0fe2253f4 100644
--- a/generated/elasticsearch/component/host.json
+++ b/generated/elasticsearch/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -186,4 +186,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json
index 26ff093c71..3564a8b46c 100644
--- a/generated/elasticsearch/component/http.json
+++ b/generated/elasticsearch/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -84,4 +84,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json
index 7b87c472c2..88cffb950a 100644
--- a/generated/elasticsearch/component/log.json
+++ b/generated/elasticsearch/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -78,4 +78,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/network.json b/generated/elasticsearch/component/network.json
index 20bef22e98..49e3fc2896 100644
--- a/generated/elasticsearch/component/network.json
+++ b/generated/elasticsearch/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -83,4 +83,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json
index 934744f961..ec65a0ccd2 100644
--- a/generated/elasticsearch/component/observer.json
+++ b/generated/elasticsearch/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -211,4 +211,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/orchestrator.json b/generated/elasticsearch/component/orchestrator.json
index 48b3931b2f..829264c809 100644
--- a/generated/elasticsearch/component/orchestrator.json
+++ b/generated/elasticsearch/component/orchestrator.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -57,4 +57,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json
index 2755d043d6..eb257eb25b 100644
--- a/generated/elasticsearch/component/organization.json
+++ b/generated/elasticsearch/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -26,4 +26,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/package.json b/generated/elasticsearch/component/package.json
index 4925309235..26e33c6934 100644
--- a/generated/elasticsearch/component/package.json
+++ b/generated/elasticsearch/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -63,4 +63,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
index 1949086375..82f624638f 100644
--- a/generated/elasticsearch/component/process.json
+++ b/generated/elasticsearch/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -488,9 +488,6 @@
                 "pid": {
                   "type": "long"
                 },
-                "ppid": {
-                  "type": "long"
-                },
                 "start": {
                   "type": "date"
                 },
@@ -566,9 +563,6 @@
             "pid": {
               "type": "long"
             },
-            "ppid": {
-              "type": "long"
-            },
             "start": {
               "type": "date"
             },
@@ -609,4 +603,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json
index 9704be7748..c00bb41981 100644
--- a/generated/elasticsearch/component/registry.json
+++ b/generated/elasticsearch/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -44,4 +44,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/related.json b/generated/elasticsearch/component/related.json
index 3f95ffd419..307604dd15 100644
--- a/generated/elasticsearch/component/related.json
+++ b/generated/elasticsearch/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -28,4 +28,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/rule.json b/generated/elasticsearch/component/rule.json
index 6a8d669be9..ead1e3fc8a 100644
--- a/generated/elasticsearch/component/rule.json
+++ b/generated/elasticsearch/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -53,4 +53,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json
index 1bb34ff4bf..b006fddbb8 100644
--- a/generated/elasticsearch/component/server.json
+++ b/generated/elasticsearch/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/service.json b/generated/elasticsearch/component/service.json
index 9015457180..f698fc99d5 100644
--- a/generated/elasticsearch/component/service.json
+++ b/generated/elasticsearch/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -36,10 +36,98 @@
                 }
               }
             },
+            "origin": {
+              "properties": {
+                "address": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "environment": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ephemeral_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "node": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "state": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "state": {
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "target": {
+              "properties": {
+                "address": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "environment": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ephemeral_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "node": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "state": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "type": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -53,4 +141,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json
index e01dd0619a..bd9543534e 100644
--- a/generated/elasticsearch/component/source.json
+++ b/generated/elasticsearch/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -184,4 +184,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json
index ebc93b9672..0baf34d695 100644
--- a/generated/elasticsearch/component/threat.json
+++ b/generated/elasticsearch/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -244,6 +244,30 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "hash": {
+                          "properties": {
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha1": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha512": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "ssdeep": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
                         "inode": {
                           "ignore_above": 1024,
                           "type": "keyword"
@@ -276,6 +300,38 @@
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
+                        "pe": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "company": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "description": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "file_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imphash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "original_file_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "product": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
                         "size": {
                           "type": "long"
                         },
@@ -295,6 +351,112 @@
                         "uid": {
                           "ignore_above": 1024,
                           "type": "keyword"
+                        },
+                        "x509": {
+                          "properties": {
+                            "alternative_names": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "issuer": {
+                              "properties": {
+                                "common_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "distinguished_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "locality": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organization": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organizational_unit": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "state_or_province": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "not_after": {
+                              "type": "date"
+                            },
+                            "not_before": {
+                              "type": "date"
+                            },
+                            "public_key_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "public_key_curve": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "public_key_exponent": {
+                              "doc_values": false,
+                              "index": false,
+                              "type": "long"
+                            },
+                            "public_key_size": {
+                              "type": "long"
+                            },
+                            "serial_number": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "signature_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subject": {
+                              "properties": {
+                                "common_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "distinguished_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "locality": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organization": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "organizational_unit": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "state_or_province": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "version_number": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         }
                       }
                     },
@@ -348,30 +510,6 @@
                         }
                       }
                     },
-                    "hash": {
-                      "properties": {
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
                     "ip": {
                       "type": "ip"
                     },
@@ -389,38 +527,6 @@
                     "modified_at": {
                       "type": "date"
                     },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
                     "port": {
                       "type": "long"
                     },
@@ -670,6 +776,9 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "occurred": {
+                      "type": "date"
+                    },
                     "type": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -937,6 +1046,30 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "hash": {
+                      "properties": {
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "inode": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -969,6 +1102,38 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "pe": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "company": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "size": {
                       "type": "long"
                     },
@@ -988,6 +1153,112 @@
                     "uid": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "x509": {
+                      "properties": {
+                        "alternative_names": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "issuer": {
+                          "properties": {
+                            "common_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "distinguished_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "locality": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organization": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organizational_unit": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "state_or_province": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "not_after": {
+                          "type": "date"
+                        },
+                        "not_before": {
+                          "type": "date"
+                        },
+                        "public_key_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "public_key_curve": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "public_key_exponent": {
+                          "doc_values": false,
+                          "index": false,
+                          "type": "long"
+                        },
+                        "public_key_size": {
+                          "type": "long"
+                        },
+                        "serial_number": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "signature_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subject": {
+                          "properties": {
+                            "common_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "distinguished_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "locality": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organization": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "organizational_unit": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "state_or_province": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "version_number": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     }
                   }
                 },
@@ -1041,30 +1312,6 @@
                     }
                   }
                 },
-                "hash": {
-                  "properties": {
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "ip": {
                   "type": "ip"
                 },
@@ -1082,38 +1329,6 @@
                 "modified_at": {
                   "type": "date"
                 },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "port": {
                   "type": "long"
                 },
@@ -1435,4 +1650,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json
index a13c18ffe0..b19d78d567 100644
--- a/generated/elasticsearch/component/tls.json
+++ b/generated/elasticsearch/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -351,4 +351,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/tracing.json b/generated/elasticsearch/component/tracing.json
index 610cdbb445..61782e4099 100644
--- a/generated/elasticsearch/component/tracing.json
+++ b/generated/elasticsearch/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -33,4 +33,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json
index d797334268..18e940666e 100644
--- a/generated/elasticsearch/component/url.json
+++ b/generated/elasticsearch/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -75,4 +75,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json
index a63a7c16c5..0f2d00744f 100644
--- a/generated/elasticsearch/component/user.json
+++ b/generated/elasticsearch/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -241,4 +241,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json
index a8e8899b14..eff7d8ac6f 100644
--- a/generated/elasticsearch/component/user_agent.json
+++ b/generated/elasticsearch/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -80,4 +80,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/component/vulnerability.json b/generated/elasticsearch/component/vulnerability.json
index 5c59927eca..cc0753407d 100644
--- a/generated/elasticsearch/component/vulnerability.json
+++ b/generated/elasticsearch/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "template": {
     "mappings": {
@@ -75,4 +75,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/generated/elasticsearch/template.json b/generated/elasticsearch/template.json
index 85286d3c83..f913219d93 100644
--- a/generated/elasticsearch/template.json
+++ b/generated/elasticsearch/template.json
@@ -1,45 +1,46 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "8.0.0-dev"
+    "ecs_version": "8.1.0-dev"
   },
   "composed_of": [
-    "ecs_8.0.0-dev_agent",
-    "ecs_8.0.0-dev_base",
-    "ecs_8.0.0-dev_client",
-    "ecs_8.0.0-dev_cloud",
-    "ecs_8.0.0-dev_container",
-    "ecs_8.0.0-dev_data_stream",
-    "ecs_8.0.0-dev_destination",
-    "ecs_8.0.0-dev_dll",
-    "ecs_8.0.0-dev_dns",
-    "ecs_8.0.0-dev_ecs",
-    "ecs_8.0.0-dev_error",
-    "ecs_8.0.0-dev_event",
-    "ecs_8.0.0-dev_file",
-    "ecs_8.0.0-dev_group",
-    "ecs_8.0.0-dev_host",
-    "ecs_8.0.0-dev_http",
-    "ecs_8.0.0-dev_log",
-    "ecs_8.0.0-dev_network",
-    "ecs_8.0.0-dev_observer",
-    "ecs_8.0.0-dev_orchestrator",
-    "ecs_8.0.0-dev_organization",
-    "ecs_8.0.0-dev_package",
-    "ecs_8.0.0-dev_process",
-    "ecs_8.0.0-dev_registry",
-    "ecs_8.0.0-dev_related",
-    "ecs_8.0.0-dev_rule",
-    "ecs_8.0.0-dev_server",
-    "ecs_8.0.0-dev_service",
-    "ecs_8.0.0-dev_source",
-    "ecs_8.0.0-dev_threat",
-    "ecs_8.0.0-dev_tls",
-    "ecs_8.0.0-dev_tracing",
-    "ecs_8.0.0-dev_url",
-    "ecs_8.0.0-dev_user",
-    "ecs_8.0.0-dev_user_agent",
-    "ecs_8.0.0-dev_vulnerability"
+    "ecs_8.1.0-dev_agent",
+    "ecs_8.1.0-dev_base",
+    "ecs_8.1.0-dev_client",
+    "ecs_8.1.0-dev_cloud",
+    "ecs_8.1.0-dev_container",
+    "ecs_8.1.0-dev_data_stream",
+    "ecs_8.1.0-dev_destination",
+    "ecs_8.1.0-dev_dll",
+    "ecs_8.1.0-dev_dns",
+    "ecs_8.1.0-dev_ecs",
+    "ecs_8.1.0-dev_error",
+    "ecs_8.1.0-dev_event",
+    "ecs_8.1.0-dev_faas",
+    "ecs_8.1.0-dev_file",
+    "ecs_8.1.0-dev_group",
+    "ecs_8.1.0-dev_host",
+    "ecs_8.1.0-dev_http",
+    "ecs_8.1.0-dev_log",
+    "ecs_8.1.0-dev_network",
+    "ecs_8.1.0-dev_observer",
+    "ecs_8.1.0-dev_orchestrator",
+    "ecs_8.1.0-dev_organization",
+    "ecs_8.1.0-dev_package",
+    "ecs_8.1.0-dev_process",
+    "ecs_8.1.0-dev_registry",
+    "ecs_8.1.0-dev_related",
+    "ecs_8.1.0-dev_rule",
+    "ecs_8.1.0-dev_server",
+    "ecs_8.1.0-dev_service",
+    "ecs_8.1.0-dev_source",
+    "ecs_8.1.0-dev_threat",
+    "ecs_8.1.0-dev_tls",
+    "ecs_8.1.0-dev_tracing",
+    "ecs_8.1.0-dev_url",
+    "ecs_8.1.0-dev_user",
+    "ecs_8.1.0-dev_user_agent",
+    "ecs_8.1.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
@@ -70,4 +71,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/rfcs/PROCESS.md b/rfcs/PROCESS.md
index 088512cc90..1f14c32ccd 100644
--- a/rfcs/PROCESS.md
+++ b/rfcs/PROCESS.md
@@ -6,7 +6,7 @@ Each RFC is represented as a markdown document following a prescribed template t
 
 If proposing new fields or changing existing fields, the RFC should also have a corresponding folder (named after the RFC number) in [rfcs/text/](./text/). The folder should contain the proposed schema changes as standalone YAML files or extended example mappings and larger source documents.
 
-Generally speaking, the ECS team will help steward the process, but the work of researching and iterating on aspects of an RFC will be owned by that RFC's contributor. If an RFC is being contributed by a community member, then someone at Elastic will need to act as a sponsor of the change to act as a long term owner after completion of the process. If it's not obvious who such a sponsor might be, then the ECS committee will assign a sponsor.
+Generally speaking, the ECS team will help steward the process, but the work of researching and iterating on aspects of an RFC will be owned by that RFC's contributor. If an RFC is being contributed by a community member, then someone at Elastic will need to act as a sponsor of the change to act as a long term owner after completion of the process. The ECS team can help community users with identifying an internal sponsor. If it's not obvious who such a sponsor might be, then the ECS committee will assign a sponsor.
 
 ## Key questions we seek to answer through RFC process
 
@@ -37,6 +37,7 @@ The **ECS team**:
 * curates the overall RFC process, including closing stalled or abandoned RFCs
 * reports on the status of open RFCs
 * acts on behalf of the committee for some but not all PRs
+* helps community users identify a sponsor at Elastic
 
 The **contributor**:
 * takes responsibility for doing all necessary legwork to move their RFC forward including but not limited to responding to feedback, identifying and bringing in subject matter experts, and researching the scope of impact
diff --git a/rfcs/text/0011/Sip-via-ordering-example.txt b/rfcs/text/0011/Sip-via-ordering-example.txt
index 076c422e7a..46ebc0d2b1 100644
--- a/rfcs/text/0011/Sip-via-ordering-example.txt
+++ b/rfcs/text/0011/Sip-via-ordering-example.txt
@@ -26,4 +26,4 @@ P-hint-DBG: forward-sbc.
 v=0.
 o=- 1185881956307229883 2 IN IP4 192.168.0.155.
 s=-.
-...
\ No newline at end of file
+...
diff --git a/rfcs/text/0016-target-process.md b/rfcs/text/0016-target-process.md
index 3aa9bb74ec..30b3c71a3e 100644
--- a/rfcs/text/0016-target-process.md
+++ b/rfcs/text/0016-target-process.md
@@ -1,10 +1,8 @@
 # 0016: Target process fields
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2021-06-09** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
-
-
+- Stage: **X (abandoned)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2021-11-16** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 This RFC is to add model events that span multiple processes. There are some events for when one OS process accesses another. In Windows, this starts with a call to `OpenProcess` to gain a handle and then there are several APIs for things you can do with the handle once its open. For all of these operations, the general concept persists: one process requested access to another.
 
@@ -14,6 +12,10 @@ The most common use cases for Windows:
 * attaching a debugger
 * reading the Process Environment Block (PEB) for other benign or nefarious purpose
 
+## Stage X
+
+This RFC is not being worked on actively, and it has been marked as abandoned. If an individual wishes to advance it in the future, open a new pull request against this proposal.
+
 ## Fields
 
 **Stage 0**
@@ -169,3 +171,4 @@ The following are the people that consulted on the contents of this RFC.
 
 * Stage 0: https://github.com/elastic/ecs/pull/1286
 * Stage 1: https://github.com/elastic/ecs/pull/1297
+* Stage X: https://github.com/elastic/ecs/pull/1666
diff --git a/rfcs/text/0017-remove-log-original.md b/rfcs/text/0017-remove-log-original.md
index 30a4934e45..eeab5758c9 100644
--- a/rfcs/text/0017-remove-log-original.md
+++ b/rfcs/text/0017-remove-log-original.md
@@ -16,23 +16,23 @@ The request is to consolidate `log.original` and `event.original` by removing `l
 
 - The internal description of the field `log.original` in [`log`](0017/log.yml) should be amended by addition of a notice of deprecation and subsequently removal if/when Deprecation progresses to Removal
 
-- The internal description of the field `event.original` in [`event`](0017/event.yml) should be updated to reflect the revised scope 
+- The internal description of the field `event.original` in [`event`](0017/event.yml) should be updated to reflect the revised scope
 
 - The extended description of `log.original` in the [`Log Fields documentation`](https://github.com/elastic/ecs/blob/master/docs/field-details.asciidoc#field-log-original) should be amended by addition of a notice of deprecation and subsequently removal if/when Deprecation progresses to Removal
 
 - The extended description of `event.original` in the [`Event Fields documentation`](https://github.com/elastic/ecs/blob/master/docs/field-details.asciidoc#field-event-original) should be amended to clarify the absorption of `log.original`
 
- 
+
 ## Usage
 
-The following examples are taken verbatim from the existing field definitions 
+The following examples are taken verbatim from the existing field definitions
 and are included for completeness.
 
-These are the raw texts of entire events, for example a log message. They 
-differ from the extracted `message` field in that no processing has been 
-applied and the field is not indexed by default. The field can still be 
+These are the raw texts of entire events, for example a log message. They
+differ from the extracted `message` field in that no processing has been
+applied and the field is not indexed by default. The field can still be
 retrieved from `_source` and is well-suited to demonstration of log integrity
-or in a re-index pipeline. 
+or in a re-index pipeline.
 
 ## Source data
 
@@ -116,4 +116,4 @@ The following are the people that consulted on the contents of this RFC.
 * Stage 1: https://github.com/elastic/ecs/pull/1314
 * Stage 2: https://github.com/elastic/ecs/pull/1347
 * Stage 3: https://github.com/elastic/ecs/pull/1465
-* Implementation: https://github.com/elastic/ecs/pull/1469
\ No newline at end of file
+* Implementation: https://github.com/elastic/ecs/pull/1469
diff --git a/rfcs/text/0017/event.yml b/rfcs/text/0017/event.yml
index a26414e52e..da4a5eafda 100644
--- a/rfcs/text/0017/event.yml
+++ b/rfcs/text/0017/event.yml
@@ -2,12 +2,12 @@
 - name: event
     - name: original
       description: >
-          Raw text message of entire event. Used to demonstrate log integrity 
-          or where the full log message (before splitting it up in multiple 
+          Raw text message of entire event. Used to demonstrate log integrity
+          or where the full log message (before splitting it up in multiple
           parts) may be required, e.g. for reindex.
 
           This field is not indexed and doc_values are disabled. It cannot be
           searched, but it can be retrieved from `_source`. If users wish to
           override this and index this field, please see `Field data types`
           in the `Elasticsearch Reference`.
-          
\ No newline at end of file
+
diff --git a/rfcs/text/0017/log.yml b/rfcs/text/0017/log.yml
index 45d81e6e72..6bddebb800 100644
--- a/rfcs/text/0017/log.yml
+++ b/rfcs/text/0017/log.yml
@@ -3,7 +3,7 @@
     - name: original
       short: Deprecated Original log message with light interpretation only (encoding, newlines).
       description: >
-        Deprecated for Removal in next major version release. This field is superceeded by 
+        Deprecated for Removal in next major version release. This field is superceeded by
         `event.original`
 
         This is the original log message and contains the full log message
diff --git a/rfcs/text/0021-threat-enrichment.md b/rfcs/text/0021-threat-enrichment.md
index 803d48a457..a7e8efd00a 100644
--- a/rfcs/text/0021-threat-enrichment.md
+++ b/rfcs/text/0021-threat-enrichment.md
@@ -1,7 +1,7 @@
 # 0021: Threat Enrichment
 
-- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2021-07-06** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **3 (finished)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2021-10-20** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
@@ -37,6 +37,7 @@ threat.enrichments.matched.atomic | keyword | 2f5207f2add28b46267dc99bc5382480 |
 threat.enrichments.matched.id | keyword | db8fb691ffdb4432a09ef171659c8993e6ddea1ea9b21381b93269d1bf2d0bc2 | The _id of the indicator document that matched the event
 threat.enrichments.matched.index | keyword | threat-index-000001 | The _index of the indicator document that matched the event
 threat.enrichments.matched.field | keyword | host.name | Identifies the field on the enriched event that matched the indicator
+threat.enrichments.matched.occurred | date | 2021-10-05T17:00:58.326Z | Indicates when the match was generated
 threat.enrichments.matched.type | keyword | indicator_match_rule | Identifies the type of the atomic indicator that matched a local environment endpoint or network event.
 
 <!--
@@ -79,6 +80,7 @@ If it is determined that an event matches a given indicator, that event can be e
         // Each enrichment is added as a nested object under `threat.enrichments.*`
         // Copy all the object indicators under `indicator.*`, providing full context
         "indicator": {
+          "confidence": "High",
           "marking": {
             "tlp": "WHITE"
           },
@@ -105,6 +107,7 @@ If it is determined that an event matches a given indicator, that event can be e
           "field": "file.hash.sha256",
           "id": "abc123f03",
           "index": "threat-indicators-index-000001",
+          "occurred": "2021-10-05T17:00:58.326Z",
           "type": "indicator_match_rule"
         }
       }
@@ -136,6 +139,9 @@ If it is determined that an event matches a given indicator, that event can be e
          "match_field": "threat.indicator.file.hash.sha256",
          "enrich_fields": ["threat.indicator"]
        }
+   - script:
+     lang:  "painless"
+     inline: "ctx.threat_match.threat.matched.occurred = new SimpleDateFormat(\"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'\").setTimeZone(TimeZone.getTimeZone(\"UTC\")).format(new Date());"
    - set:
      field: "threat_match.threat.matched.type"
      value: "file-sha256-policy"
@@ -235,6 +241,7 @@ e.g.:
 * Stage 1: https://github.com/elastic/ecs/pull/1400
 * Stage 2: https://github.com/elastic/ecs/pull/1460
   * Stage 2 addendum: https://github.com/elastic/ecs/pull/1502
+* Stage 3: https://github.com/elastic/ecs/pull/1581
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
diff --git a/rfcs/text/0021/threat.yml b/rfcs/text/0021/threat.yml
index 2f82f7d54d..c5c11c67b5 100644
--- a/rfcs/text/0021/threat.yml
+++ b/rfcs/text/0021/threat.yml
@@ -50,6 +50,14 @@
       Identifies the _index of the indicator document enriching the event.
     example: filebeat-8.0.0-2021.05.23-000011
 
+  - name: enrichments.matched.occurred
+    level: extended
+    type: date
+    short: Date of match
+    description: >
+      Indicates when the indicator match was generated
+    example: 2021-10-05T17:00:58.326Z
+
   - name: enrichments.matched.type
     level: extended
     type: keyword
@@ -145,16 +153,16 @@
     type: keyword
     short: Indicator confidence rating
     description: >
-      Identifies the confidence rating assigned by the provider using STIX confidence scales.
+      Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
 
       Expected values:
-        * Not Specified, None, Low, Medium, High
-        * 0-10
-        * Admirality Scale (1-6)
-        * DNI Scale (5-95)
-        * WEP Scale (Impossible - Certain)
+        * Not Specified
+        * None
+        * Low
+        * Medium
+        * High
 
-    example: High
+    example: Medium
 
   - name: enrichments.indicator.ip
     level: extended
diff --git a/rfcs/text/0022-remove-process-ppid.md b/rfcs/text/0022-remove-process-ppid.md
index 9916f5a32b..5a011e543a 100644
--- a/rfcs/text/0022-remove-process-ppid.md
+++ b/rfcs/text/0022-remove-process-ppid.md
@@ -1,8 +1,8 @@
 # 0022: Remove process.ppid
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2021-08-05** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **3 (finished)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2021-08-26** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -17,7 +17,7 @@ There's no need to have two fields to capture the same value. ECS now includes a
 
 Removing `process.ppid` will take place in two steps:
 
-1. ECS `1.x`: Indicate that `process.ppid` is deprecated in the fields description in an upcoming ECS minor release. Producers and consumers of `process.ppid` should use `process.parent.pid` instead.
+1. ECS `1.x`: Indicate that `process.ppid` is deprecated in the fields description in an upcoming ECS minor release. Instead, producers and consumers of `process.ppid` should use `process.parent.pid`.
 2. Later remove `process.ppid` field as a breaking change.
 
 Removing `process.ppid` will also eliminate `process.parent.ppid`.
@@ -59,7 +59,7 @@ An example of how `process.ppid` is populated:
 }
 ```
 
-Now the mapping for above document would be updated to use `process.parent.pid` instead:
+The above mapping would be updated to use `process.parent.pid`:
 
 ```json
 {
@@ -79,10 +79,6 @@ Now the mapping for above document would be updated to use `process.parent.pid`
 }
 ```
 
-<!--
-Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
--->
-
 ## Scope of impact
 
 ### Ingestion mechanisms
@@ -91,7 +87,7 @@ APM, Beats, Elastic Agent, and any processors that populate `process.ppid` today
 
 ### Usage mechanisms
 
-The security detection rules [repo](https://github.com/elastic/detection-rules) will need audited. Any usage of `process.ppid` should ideally migrate to `process.parent.pid`, but backward compatibility also remains essential.
+The security detection rules [repo](https://github.com/elastic/detection-rules) will need auditing. Any usage of `process.ppid` should ideally migrate to `process.parent.pid`, but backward compatibility also remains essential.
 
 ### ECS
 
@@ -105,7 +101,7 @@ The `process.ppid` is populated in many data producers, so migrating to `process
 
 **Resolution**: Field aliases might be of some use to alleviate some pain during the migration for any aggregations or visualizations relying on `process.ppid`:
 
-```
+```json
 PUT rfc_0018/_mapping
 {
   "properties": {
@@ -134,10 +130,6 @@ Removing `process.ppid` will also remove its reuse in `process.parent`: `process
 
 **Resolution**: [Discussed](https://github.com/elastic/ecs/pull/1450#issuecomment-854773783) with Protections, Endpoint, and Observability stakeholders. Not having a replacement field for the parent's parent PID didn't raise significant concerns.
 
-<!--
-Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
--->
-
 ## People
 
 The following are the people that consulted on the contents of this RFC.
@@ -174,6 +166,7 @@ e.g.:
 * Stage 1: https://github.com/elastic/ecs/pull/1450
   * Stage 1 date correction: https://github.com/elastic/ecs/pull/1555
 * Stage 2: https://github.com/elastic/ecs/pull/1556
+* Stage 3: https://github.com/elastic/ecs/pull/1592
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
diff --git a/rfcs/text/0027-faas-fields.md b/rfcs/text/0027-faas-fields.md
index d6630496f8..b85db63809 100644
--- a/rfcs/text/0027-faas-fields.md
+++ b/rfcs/text/0027-faas-fields.md
@@ -1,8 +1,8 @@
 # 0027: Function as a Service Fields
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2021-08-19** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2021-09-14** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -86,6 +86,7 @@ faas.trigger.region | `cloud.origin.region`
 <!--
 Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
+Done.
 
 ## Usage
 
@@ -116,6 +117,160 @@ Faas functions provide meta-information in their execution environment. APM agen
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
 -->
+The above fields will be derived by the APM agents from the AWS Lambda `context object` and the `event object` that are passed with an invocation of a Lambda function. Below is an example for the context and event object.
+The mapping to the proposed fields for this example is layed out in the following table
+
+target ECS field | source field
+--- | ---
+faas.coldstart | No source field. Determined by the APM agent on the first Lambda function invocation.
+faas.execution | `context.awsRequestId`
+faas.trigger.type | No source field. Determined by the APM agent based on the `event object` type. Would be `http` in this example.
+faas.trigger.request_id | `event.requestContext.requestId`
+service.origin.name | `${event.requestContext.httpMethod} ${event.requestContext.resourcePath}/${event.requestContext.stage}` -> `GET /fetch_all/dev`
+service.origin.id | `event.requestContext.apiId`
+service.origin.version | No source field. Determined by the APM agent based on the `event object` type whether it's API version `1.0` or `2.0`.
+cloud.origin.service.name | `api gateway`
+cloud.origin.account.id | `event.requestContext.accountId`
+
+### AWS Lambda context object
+Description [available here](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-context.html).
+
+**context:**
+```json
+{
+    "callbackWaitsForEmptyEventLoop": true,
+    "functionVersion": "$LATEST",
+    "functionName": "the-function-name",
+    "memoryLimitInMB": "128",
+    "logGroupName": "/aws/lambda/the-function-name",
+    "logStreamName": "2021/08/13/[$LATEST]08834acf4e4f463b95b7b99aa8b34aff",
+    "invokedFunctionArn": "arn:aws:lambda:us-west-2:XXXXXXXXXXXX:function:the-function-name",
+    "awsRequestId": "649bf7d0-c6ae-432d-899d-da44ccd7ee95"
+}
+```
+### AWS Lambda event object
+Description [available here](https://docs.aws.amazon.com/lambda/latest/dg/services-apigateway.html).
+
+**event:**
+```json
+{
+    "resource": "/fetch_all",
+    "path": "/fetch_all",
+    "httpMethod": "GET",
+    "headers": {
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+        "Accept-Encoding": "gzip, deflate, br",
+        "Accept-Language": "en-US,en;q=0.5",
+        "CloudFront-Forwarded-Proto": "https",
+        "CloudFront-Is-Desktop-Viewer": "true",
+        "CloudFront-Is-Mobile-Viewer": "false",
+        "CloudFront-Is-SmartTV-Viewer": "false",
+        "CloudFront-Is-Tablet-Viewer": "false",
+        "CloudFront-Viewer-Country": "US",
+        "Host": "02plqthge2.execute-api.us-east-1.amazonaws.com",
+        "upgrade-insecure-requests": "1",
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
+        "Via": "2.0 969f35f01b6eddd92239a3e818fc1e0d.cloudfront.net (CloudFront)",
+        "X-Amz-Cf-Id": "eDbpfDwO-CRYymEFLkW6CBCsU_H_PS8R93_us53QWvXWLS45v3NvQw==",
+        "X-Amzn-Trace-Id": "Root=1-5e502af4-fd0c1c6fdc164e1d6361183b",
+        "X-Forwarded-For": "76.76.241.57, 52.46.47.139",
+        "X-Forwarded-Port": "443",
+        "X-Forwarded-Proto": "https"
+    },
+    "multiValueHeaders": {
+        "Accept": [
+            "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
+        ],
+        "Accept-Encoding": [
+            "gzip, deflate, br"
+        ],
+        "Accept-Language": [
+            "en-US,en;q=0.5"
+        ],
+        "CloudFront-Forwarded-Proto": [
+            "https"
+        ],
+        "CloudFront-Is-Desktop-Viewer": [
+            "true"
+        ],
+        "CloudFront-Is-Mobile-Viewer": [
+            "false"
+        ],
+        "CloudFront-Is-SmartTV-Viewer": [
+            "false"
+        ],
+        "CloudFront-Is-Tablet-Viewer": [
+            "false"
+        ],
+        "CloudFront-Viewer-Country": [
+            "US"
+        ],
+        "Host": [
+            "02plqthge2.execute-api.us-east-1.amazonaws.com"
+        ],
+        "upgrade-insecure-requests": [
+            "1"
+        ],
+        "User-Agent": [
+            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
+        ],
+        "Via": [
+            "2.0 969f35f01b6eddd92239a3e818fc1e0d.cloudfront.net (CloudFront)"
+        ],
+        "X-Amz-Cf-Id": [
+            "eDbpfDwO-CRYymEFLkW6CBCsU_H_PS8R93_us53QWvXWLS45v3NvQw=="
+        ],
+        "X-Amzn-Trace-Id": [
+            "Root=1-5e502af4-fd0c1c6fdc164e1d6361183b"
+        ],
+        "X-Forwarded-For": [
+            "76.76.241.57, 52.46.47.139"
+        ],
+        "X-Forwarded-Port": [
+            "443"
+        ],
+        "X-Forwarded-Proto": [
+            "https"
+        ]
+    },
+    "queryStringParameters": null,
+    "multiValueQueryStringParameters": null,
+    "pathParameters": null,
+    "stageVariables": null,
+    "requestContext": {
+        "resourceId": "y3tkf7",
+        "resourcePath": "/fetch_all",
+        "httpMethod": "GET",
+        "extendedRequestId": "IQumRELJIAMF6fQ=",
+        "requestTime": "21/Feb/2020:19:09:40 +0000",
+        "path": "/dev/fetch_all",
+        "accountId": "571481734049",
+        "protocol": "HTTP/1.1",
+        "stage": "dev",
+        "domainPrefix": "02plqthge2",
+        "requestTimeEpoch": 1582312180890,
+        "requestId": "6f3dffca-46f8-4c8b-800b-6bc1ea2554ec",
+        "identity": {
+            "cognitoIdentityPoolId": null,
+            "accountId": null,
+            "cognitoIdentityId": null,
+            "caller": null,
+            "sourceIp": "76.76.241.57",
+            "principalOrgId": null,
+            "accessKey": null,
+            "cognitoAuthenticationType": null,
+            "cognitoAuthenticationProvider": null,
+            "userArn": null,
+            "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
+            "user": null
+        },
+        "domainName": "02plqthge2.execute-api.us-east-1.amazonaws.com",
+        "apiId": "02plqthge2"
+    },
+    "body": null,
+    "isBase64Encoded": false
+}
+```
 
 <!--
 Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
@@ -130,6 +285,13 @@ Stage 2: Identifies scope of impact of changes. Are breaking changes required? S
  * ECS project (e.g. docs, tooling)
 The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
 -->
+- Ingestion mechanisms:
+  - APM server will extend the intake V2 API to accept the new fields and store them with the transaction documents
+  - APM server will extend OpenTelemetry field mapping to account for these new fields
+- Usage mechanisms:
+  - APM UI may utilize the new fields to provide Lambda / serverless specific visualizations (e.g. indicating cold starts on transactions in the waterfall view, showing meta information on lambda service views)
+- ECS project
+  - the concept of self-nesting service and cloud fields under *origin* and *target* needs clear documentation that avoids confusion around when to use which of the fields. Tried to address this with the description in the schema for those fields in this PR.
 
 ## Concerns
 
@@ -149,6 +311,8 @@ Stage 1: Identify potential concerns, implementation challenges, or complexity.
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
 -->
 
+- extended descriptio / footnote for service and cloud fields in this PR to avoid confusion about *origin* and *target* nesting of service and cloud fields
+
 <!--
 Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
 -->
@@ -185,3 +349,5 @@ e.g.:
 
 * Stage 0: https://github.com/elastic/ecs/pull/1518
 * Stage 1: https://github.com/elastic/ecs/pull/1542
+* Stage 2: https://github.com/elastic/ecs/pull/1594
+  * Stage 2 date correction: https://github.com/elastic/ecs/pull/1642
diff --git a/rfcs/text/0027/cloud.yml b/rfcs/text/0027/cloud.yml
index c061488986..cc0c22fa9a 100644
--- a/rfcs/text/0027/cloud.yml
+++ b/rfcs/text/0027/cloud.yml
@@ -1,11 +1,22 @@
 ---
 - name: cloud
+  footnote: >
+    Examples: If Metricbeat is running on an EC2 host and fetches data from its
+    host, the cloud info contains the data about this machine. If Metricbeat
+    runs on a remote machine outside the cloud and fetches data from a service
+    running in the cloud, the field contains cloud data from the machine the
+    service is running on.
+
+    The cloud fields may be self-nested under cloud.origin.* and cloud.target.* to describe origin or target service's cloud information in the context of incoming or outgoing requests, respectively.
+    However, the fieldsets cloud.origin.* and cloud.target.* must not be confused with the root cloud fieldset that is used to describe the cloud context of the actual service under observation.
+    The fieldset cloud.origin.* may only be used in the context of incoming requests or events to provide the originating service's cloud information.
+    The fieldset cloud.target.* may only be used in the context of outgoing requests or events to describe the target service's cloud information.
   reusable:
     top_level: true
     expected:
       - at: cloud
         as: target
-        short_override: Cloud information about the invocation target.
+        short_override: Provides the cloud information of the target entity in case of an outgoing request or event.
       - at: cloud
         as: origin
-        short_override: Cloud information about the invocation origin.
+        short_override: Provides the cloud information of the origin entity in case of an incoming request or event.
diff --git a/rfcs/text/0027/service.yml b/rfcs/text/0027/service.yml
index 8e5d932b98..1217e04f14 100644
--- a/rfcs/text/0027/service.yml
+++ b/rfcs/text/0027/service.yml
@@ -1,11 +1,16 @@
 ---
 - name: service
+  footnote: >
+    The service fields may be self-nested under service.origin.* and service.target.* to describe origin or target services in the context of incoming or outgoing requests, respectively.
+    However, the fieldsets service.origin.* and service.target.* must not be confused with the root service fieldset that is used to describe the actual service under observation.
+    The fieldset service.origin.* may only be used in the context of incoming requests or events to describe the originating service of the request.
+    The fieldset service.target.* may only be used in the context of outgoing requests or events to describe the target service of the request.
   reusable:
     top_level: true
     expected:
       - at: service
         as: target
-        short_override: Target service of an invocation.
+        short_override: Describes the target service in case of an outgoing request or event.
       - at: service
         as: origin
-        short_override: Origin service of an invocation.
+        short_override: Describes the origin service in case of an incoming request or event.
diff --git a/rfcs/text/0028-cgroups.md b/rfcs/text/0028-cgroups.md
new file mode 100644
index 0000000000..837d7e179a
--- /dev/null
+++ b/rfcs/text/0028-cgroups.md
@@ -0,0 +1,119 @@
+# 0028: cgroup fieldset
+<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
+
+- Stage: **1 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2021-11-05** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+
+<!--
+As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
+Feel free to remove these comments as you go along.
+-->
+
+This is a proposal to add a top-level `cgroup` fields to ECS. We have cgroup V2 support incoming in the system/process metricset in 7.15, and cgroups V2 reports a variety of metric fields differently compared to V1. While many OSes and platforms are currently operating in "hybrid" or V1 only mode, this will become an issue as more OSes and cgroup-based platforms like docker make use of cgroups V2.
+Right now, a handful of visualizations in the observability App within Kibana use cgroup metrics, and these visualizations will only work on Cgroups V1. In order to extract the same or similar metrics under V2, they will need to access different fields. This is an excellent use case for ECS, as it allows us to standardize the placement of common metrics such as cgroup cpu/memory usage, etc, particularly as visualizations are already relying on these metrics.
+In the case of Cgroups V1 versus V2, we decided to report V2 metrics "natively" as opposed to conforming to the V1 fields in order to avoid mangling V2 metrics and confusing users who were expecting V2 metrics to be reported in a similarly transparent fashion as V1. Many of the field changes are the result of cgroup controllers changing names; for example, the V1 `blkio` controller becomes `io` on V2, with many of the underlying metrics remaining the same.
+
+The scope of cgroup metrics may also expand over time, as other processors and data streams add cgroup metrics, thus requiring common fields for metrics reported across different data streams. This is also relevant to container monitoring, as we may want to report "raw" cgroup metrics from containers as our container monitoring expands.
+
+
+<!--
+Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
+-->
+
+## Fields
+
+The fields added by this RFC are _not a comprehensive list of all metrics that are shared with both cgroups V1 and V2_. Rather, it is a list of all shared cgroup metrics that are most likely to be useful for future monitoring and visualization. As it stands, this is currently limited to `cpu` and `memory` metrics. We can expand this, of course, but this current PR covers the most important metrics shared across cgroups.
+
+<!--
+Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
+-->
+
+## Usage
+
+This rfc is meant to head off an oncoming problem, which is that various components in the Elastic Stack are incompatible with cgroups V2. Kibana, for example, will frequently use field names that are exclusive to cgroups V1:
+
+```
+export const METRIC_CGROUP_MEMORY_LIMIT_BYTES = 'system.process.cgroup.memory.mem.limit.bytes';
+```
+
+While cgroups V2 adoption is fairly low, particularly among LTS-style distros and software, this is going to become a problem, and we first need an ECS standard for what these fields should be called.
+
+Aside from existing code, this will help with users running under a "hybrid" cgroups system, as the metricbeat cgroups code must decide if a process is under the control of cgroups V1 or V2, which means different processes on a system can report different cgroups code. A common set of fields will allow important metrics to be comparable across the system, even if that system is using two different versions of cgroups.
+The same can be said for heterogeneous clusters running different versions of cgroups across multiple machines.
+
+## Source data
+
+The source data for much of cgroups comes from the cgroupfs file system on the host machine:
+
+```
+ls /sys/fs/cgroup/user.slice/user-1000.slice/session-23.scope
+cgroup.controllers  cgroup.freeze     cgroup.max.descendants  cgroup.stat             cgroup.threads  cpu.pressure  io.pressure     memory.events        memory.high  memory.max  memory.numa_stat  memory.pressure  memory.swap.current  memory.swap.high  pids.current  pids.max
+cgroup.events       cgroup.max.depth  cgroup.procs            cgroup.subtree_control  cgroup.type     cpu.stat      memory.current  memory.events.local  memory.low   memory.min  memory.oom.group  memory.stat      memory.swap.events   memory.swap.max   pids.events
+```
+
+The structure and content of these directories varies between V1 and V2.
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+The underlying code that reports these metrics currently exists, this RFC represents only the final step in the process to standardize metrics between two different reporting versions. Perhaps the largest potential concern here is that the problems addressed by this RFC are technically temporary. In theory, cgroups V1 will eventually get deprecated, rendering the need for a common set of fields moot. In addition, cgroups is entirely transparent
+to the overwhelming majority of users, who will never interact with cgroups directly.
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @fearful-symmetry | author
+* @jsoriano | sponsor
+
+
+<!--
+Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
+
+e.g.:
+
+* @Yasmina | author
+* @Monique | sponsor
+* @EunJung | subject matter expert
+* @JaneDoe | grammar, spelling, prose
+* @Mariana
+-->
+
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/1610
+* Stage 1: https://github.com/elastic/ecs/pull/1626
+  * Stage 1 date correction: https://github.com/elastic/ecs/pull/1650
+
diff --git a/rfcs/text/0028/cgroups.yml b/rfcs/text/0028/cgroups.yml
new file mode 100644
index 0000000000..a5ac3eb343
--- /dev/null
+++ b/rfcs/text/0028/cgroups.yml
@@ -0,0 +1,77 @@
+---
+- name: cgroup
+  title: Common cgroup metrics
+  group: 2
+  short: fields common to cgroups V1 and V2
+  description: >
+    Fields related to cgroup metrics. Due to controller changes betweeen V1 and V2, many same or similar metrics
+    will often appear under different controller names. These fields are common to both cgroup versions.
+  type: group
+  fields:
+    - name: version
+      level: extended
+      type: long
+      description: >
+        The cgroups version linked to the metrics
+    - name: cpu
+      level: extended
+      type: group
+      short: CPU Metrics
+      description: >
+        Metrics related to CPU controllers.
+      fields:
+        - name: periods
+          level: extended
+          type: long
+          example: 454839343
+          description: >
+            Number of period intervals that have elapsed.
+        - name: throttled
+          level: extended
+          type: group
+          description: >
+            Metrics for the time a resource has been throttled.
+          fields:
+            - name: us
+              level: extended
+              type: long
+              example: 15000
+              description: >
+                Microseconds of CPU throttled time.
+        - name: usage
+          level: extended
+          type: scaled_float
+          scaling_factor: 1000
+          description: >
+            CPU usage, normalized by the CPU count.
+    - name: memory
+      level: extended
+      type: group
+      description: >
+        Metrics related to memory controllers.
+      fields:
+        - name: usage
+          level: extended
+          type: long
+          example: 25600
+          description: >
+            Memory usage in bytes
+        - name: limit
+          type: long
+          example: 256
+          description: >
+            Memory limit within the cgroup.
+        - name: swap
+          level: extended
+          type: group
+          description: >
+            Cgroup swap statistics.
+          fields:
+            - name: usage
+              level: extended
+              type: long
+              example: 5600
+              description: >
+                The amount of cgroup memory in swap.
+
+
diff --git a/schemas/agent.yml b/schemas/agent.yml
index a7758e90ce..8421a66eed 100644
--- a/schemas/agent.yml
+++ b/schemas/agent.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: agent
   title: Agent
diff --git a/schemas/as.yml b/schemas/as.yml
index 3d1f7db031..a2c36b22ef 100644
--- a/schemas/as.yml
+++ b/schemas/as.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: as
   title: Autonomous System
diff --git a/schemas/base.yml b/schemas/base.yml
index 30e345d068..34d0b60ec6 100644
--- a/schemas/base.yml
+++ b/schemas/base.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: base
   root: true
diff --git a/schemas/client.yml b/schemas/client.yml
index 3011c97b46..539a7a2e18 100644
--- a/schemas/client.yml
+++ b/schemas/client.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: client
   title: Client
diff --git a/schemas/cloud.yml b/schemas/cloud.yml
index ef0651ba63..0e97490b66 100644
--- a/schemas/cloud.yml
+++ b/schemas/cloud.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: cloud
   title: Cloud
@@ -12,6 +28,28 @@
     runs on a remote machine outside the cloud and fetches data from a service
     running in the cloud, the field contains cloud data from the machine the
     service is running on.
+
+    The cloud fields may be self-nested under cloud.origin.* and cloud.target.* 
+    to describe origin or target service's cloud information in the context of 
+    incoming or outgoing requests, respectively. However, the fieldsets 
+    cloud.origin.* and cloud.target.* must not be confused with the root cloud 
+    fieldset that is used to describe the cloud context of the actual service 
+    under observation. The fieldset cloud.origin.* may only be used in the 
+    context of incoming requests or events to provide the originating service's 
+    cloud information. The fieldset cloud.target.* may only be used in the 
+    context of outgoing requests or events to describe the target service's 
+    cloud information.
+  reusable:
+    top_level: true
+    expected:
+      - at: cloud
+        as: origin
+        beta: Reusing the `cloud` fields in this location is currently considered beta.
+        short_override: Provides the cloud information of the origin entity in case of an incoming request or event.
+      - at: cloud
+        as: target
+        beta: Reusing the `cloud` fields in this location is currently considered beta.
+        short_override: Provides the cloud information of the target entity in case of an outgoing request or event.
   type: group
   fields:
     - name: provider
diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml
index 2804029a7f..056262370f 100644
--- a/schemas/code_signature.yml
+++ b/schemas/code_signature.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: code_signature
   title: Code Signature
diff --git a/schemas/container.yml b/schemas/container.yml
index 04cc138572..047c10fa8a 100644
--- a/schemas/container.yml
+++ b/schemas/container.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: container
   title: Container
diff --git a/schemas/data_stream.yml b/schemas/data_stream.yml
index a169b0a61c..9dcf02a92c 100644
--- a/schemas/data_stream.yml
+++ b/schemas/data_stream.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: data_stream
   title: Data Stream
diff --git a/schemas/destination.yml b/schemas/destination.yml
index c600377b92..6b084e6bab 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: destination
   title: Destination
diff --git a/schemas/dll.yml b/schemas/dll.yml
index f4bf90a2c5..7e832dec11 100644
--- a/schemas/dll.yml
+++ b/schemas/dll.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: dll
   title: DLL
diff --git a/schemas/dns.yml b/schemas/dns.yml
index afe11a190a..29826f72cd 100644
--- a/schemas/dns.yml
+++ b/schemas/dns.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: dns
   title: DNS
diff --git a/schemas/ecs.yml b/schemas/ecs.yml
index de7bb39fe4..497e9d1b5d 100644
--- a/schemas/ecs.yml
+++ b/schemas/ecs.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: ecs
   title: ECS
diff --git a/schemas/elf.yml b/schemas/elf.yml
index 525b155414..ca174f3a63 100644
--- a/schemas/elf.yml
+++ b/schemas/elf.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: elf
   title: ELF Header
diff --git a/schemas/error.yml b/schemas/error.yml
index 7181c70799..765803440c 100644
--- a/schemas/error.yml
+++ b/schemas/error.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: error
   title: Error
diff --git a/schemas/event.yml b/schemas/event.yml
index ed7ec19a3a..57299a2fa7 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: event
   title: Event
@@ -64,7 +80,7 @@
 
             `event.kind:alert` is often populated for events coming from firewalls,
             intrusion detection systems, endpoint detection and response systems, and so on.
-            
+
             This value is not used by Elastic solutions for alert documents
             that are created by rules executing within the Kibana alerting framework.
         - name: enrichment
diff --git a/schemas/faas.yml b/schemas/faas.yml
new file mode 100644
index 0000000000..3d0a6d54cd
--- /dev/null
+++ b/schemas/faas.yml
@@ -0,0 +1,65 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: faas
+  group: 2
+  title: FaaS
+  short: Fields describing functions as a service.
+  description: >
+    The user fields describe information about the function
+    as a service that is relevant to the event.
+  beta: >
+    These fields are in beta and are subject to change.
+  type: group
+  fields:
+    - name: coldstart
+      description: >
+        Boolean value indicating a cold start of a function.
+      type: boolean
+      level: extended
+    - name: execution
+      description: >
+        The execution ID of the current function execution.
+      type: keyword
+      level: extended
+      example: "af9d5aa4-a685-4c5f-a22b-444f80b3cc28"
+    - name: trigger
+      level: extended
+      type: nested
+      description: >
+        Details about the function trigger.
+    - name: trigger.type
+      level: extended
+      type: keyword
+      short: The trigger for the function execution.
+      description: >
+        The trigger for the function execution.
+
+        Expected values are:
+          * http
+          * pubsub
+          * datasource
+          * timer
+          * other
+      example: http
+    - name: trigger.request_id
+      level: extended
+      type: keyword
+      description: >
+        The ID of the trigger request , message, event, etc.
+      example: 123456789
+
diff --git a/schemas/file.yml b/schemas/file.yml
index fa50793ce7..39de2ff68e 100644
--- a/schemas/file.yml
+++ b/schemas/file.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: file
   group: 2
diff --git a/schemas/geo.yml b/schemas/geo.yml
index fe1e80a3e6..874e43fa1f 100644
--- a/schemas/geo.yml
+++ b/schemas/geo.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: geo
   title: Geo
diff --git a/schemas/group.yml b/schemas/group.yml
index 471e1f9a8b..47146583f4 100644
--- a/schemas/group.yml
+++ b/schemas/group.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: group
   title: Group
diff --git a/schemas/hash.yml b/schemas/hash.yml
index 5305d0f3a1..4d60b52edb 100644
--- a/schemas/hash.yml
+++ b/schemas/hash.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: hash
   title: Hash
@@ -17,15 +33,11 @@
 
   reusable:
     top_level: false
+    order: 1
     expected:
       - file
       - process
       - dll
-      - at: threat.indicator
-        as: hash
-      - at: threat.enrichments.indicator
-        as: hash
-        beta: Reusing the `hash` fields in this location is currently considered beta.
 
   fields:
 
diff --git a/schemas/host.yml b/schemas/host.yml
index d46bbe6a64..8b964f2dc2 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: host
   title: Host
diff --git a/schemas/http.yml b/schemas/http.yml
index f49055e52a..8b86943a2c 100644
--- a/schemas/http.yml
+++ b/schemas/http.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: http
   title: HTTP
diff --git a/schemas/interface.yml b/schemas/interface.yml
index ed62297394..2617f109b0 100644
--- a/schemas/interface.yml
+++ b/schemas/interface.yml
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
 - name: interface
   title: Interface
   group: 2
diff --git a/schemas/log.yml b/schemas/log.yml
index d08b2b818e..66743520fc 100644
--- a/schemas/log.yml
+++ b/schemas/log.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: log
   title: Log
diff --git a/schemas/network.yml b/schemas/network.yml
index c6fed904b7..cca7f4b563 100644
--- a/schemas/network.yml
+++ b/schemas/network.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: network
   title: Network
@@ -24,8 +40,7 @@
       description: >
         In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
 
-        The field value must be normalized to lowercase for querying. See
-        the documentation section "Implementing ECS".
+        The field value must be normalized to lowercase for querying.
       example: ipv4
 
     - name: iana_number
@@ -46,8 +61,7 @@
         Same as network.iana_number, but instead using the Keyword name of the
         transport layer (udp, tcp, ipv6-icmp, etc.)
 
-        The field value must be normalized to lowercase for querying. See
-        the documentation section "Implementing ECS".
+        The field value must be normalized to lowercase for querying.
       example: tcp
 
     - name: application
@@ -56,25 +70,26 @@
       short: >
         Application level protocol name.
       description: >
-        A name given to an application level protocol. This can be arbitrarily assigned for
-        things like microservices, but also apply to things like skype, icq,
-        facebook, twitter. This would be used in situations where the vendor
-        or service can be decoded such as from the source/dest IP owners,
-        ports, or wire format.
-
-        The field value must be normalized to lowercase for querying. See
-        the documentation section "Implementing ECS".
+        When a specific application or service is identified from network
+        connection details (source/dest IPs, ports, certificates, or
+        wire format), this field captures the application's or service's name.
+
+        For example, the original event identifies the network connection being
+        from a specific web service in a `https` network connection, like
+        `facebook` or `twitter`.
+
+        The field value must be normalized to lowercase for querying.
       example: aim
 
     - name: protocol
       level: core
       type: keyword
-      short: L7 Network protocol name.
+      short: Application protocol name.
       description: >
-        L7 Network protocol name. ex. http, lumberjack, transport protocol.
+        In the OSI Model this would be the Application Layer protocol. For
+        example, `http`, `dns`, or `ssh`.
 
-        The field value must be normalized to lowercase for querying. See
-        the documentation section "Implementing ECS".
+        The field value must be normalized to lowercase for querying.
       example: http
 
     - name: direction
diff --git a/schemas/observer.yml b/schemas/observer.yml
index 9cee51c1c6..e95cf7247d 100644
--- a/schemas/observer.yml
+++ b/schemas/observer.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: observer
   title: Observer
diff --git a/schemas/orchestrator.yml b/schemas/orchestrator.yml
index e90577ca70..ddfd9c19bf 100644
--- a/schemas/orchestrator.yml
+++ b/schemas/orchestrator.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: orchestrator
   title: Orchestrator
diff --git a/schemas/organization.yml b/schemas/organization.yml
index b468f2eb91..237ece1507 100644
--- a/schemas/organization.yml
+++ b/schemas/organization.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: organization
   title: Organization
diff --git a/schemas/os.yml b/schemas/os.yml
index a65e2d11cd..f6ae18b0c5 100644
--- a/schemas/os.yml
+++ b/schemas/os.yml
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
 - name: os
   title: Operating System
   group: 2
diff --git a/schemas/package.yml b/schemas/package.yml
index a1d5cbb00f..957e7d5ff8 100644
--- a/schemas/package.yml
+++ b/schemas/package.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: package
   title: Package
diff --git a/schemas/pe.yml b/schemas/pe.yml
index c8601b1c9a..ef0d087161 100644
--- a/schemas/pe.yml
+++ b/schemas/pe.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: pe
   title: PE Header
@@ -6,15 +22,12 @@
   type: group
   reusable:
     top_level: false
+    order: 1
     expected:
       - file
       - dll
       - process
-      - at: threat.indicator
-        as: pe
-      - at: threat.enrichments.indicator
-        as: pe
-        beta: Reusing the `pe` fields in this location is currently considered beta.
+
   fields:
     - name: original_file_name
       level: extended
diff --git a/schemas/process.yml b/schemas/process.yml
index eeced441c0..7a388aea3d 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
 - name: process
   title: Process
   group: 2
@@ -56,14 +73,6 @@
       - type: match_only_text
         name: text
 
-    - name: ppid
-      format: string
-      level: extended
-      type: long
-      description: >
-        Parent process' pid.
-      example: 4241
-
     - name: pgid
       format: string
       level: extended
diff --git a/schemas/registry.yml b/schemas/registry.yml
index 848f848c08..0ceeabd431 100644
--- a/schemas/registry.yml
+++ b/schemas/registry.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: registry
   title: Registry
diff --git a/schemas/related.yml b/schemas/related.yml
index c40e339e7e..b052fa3c00 100644
--- a/schemas/related.yml
+++ b/schemas/related.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: related
   title: Related
diff --git a/schemas/rule.yml b/schemas/rule.yml
index c0daf79892..54f3d601f5 100644
--- a/schemas/rule.yml
+++ b/schemas/rule.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: rule
   title: Rule
diff --git a/schemas/server.yml b/schemas/server.yml
index b5d66c63e7..1552a42964 100644
--- a/schemas/server.yml
+++ b/schemas/server.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: server
   title: Server
diff --git a/schemas/service.yml b/schemas/service.yml
index 83d558c342..5eb6ea469a 100644
--- a/schemas/service.yml
+++ b/schemas/service.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: service
   title: Service
@@ -8,6 +24,27 @@
 
     These fields help you find and correlate logs for a specific
     service and version.
+  footnote: >
+    The service fields may be self-nested under service.origin.* and service.target.* 
+    to describe origin or target services in the context of incoming or outgoing requests, 
+    respectively.
+    However, the fieldsets service.origin.* and service.target.* must not be confused with 
+    the root service fieldset that is used to describe the actual service under observation.
+    The fieldset service.origin.* may only be used in the context of incoming requests or 
+    events to describe the originating service of the request. The fieldset service.target.* 
+    may only be used in the context of outgoing requests or events to describe the target 
+    service of the request.
+  reusable:
+    top_level: true
+    expected:
+      - at: service
+        as: origin
+        beta: Reusing the `service` fields in this location is currently considered beta.
+        short_override: Describes the origin service in case of an incoming request or event.
+      - at: service
+        as: target
+        beta: Reusing the `service` fields in this location is currently considered beta.
+        short_override: Describes the target service in case of an outgoing request or event.
   type: group
   fields:
 
diff --git a/schemas/source.yml b/schemas/source.yml
index 8f3e5f1350..644fddcb82 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: source
   title: Source
diff --git a/schemas/threat.yml b/schemas/threat.yml
index 0410edfffd..e78e3a2b3b 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: threat
   title: Threat
@@ -22,6 +38,8 @@
       description: >
         A list of associated indicators objects enriching the event, and the context of
         that association/enrichment.
+      normalize:
+        - array
 
     - name: enrichments.indicator
       level: extended
@@ -224,6 +242,14 @@
         Identifies the _index of the indicator document enriching the event.
       example: filebeat-8.0.0-2021.05.23-000011
 
+    - name: enrichments.matched.occurred
+      level: extended
+      type: date
+      short: Date of match
+      description: >
+        Indicates when the indicator match was generated
+      example: 2021-10-05T17:00:58.326Z
+
     - name: enrichments.matched.type
       level: extended
       type: keyword
diff --git a/schemas/tls.yml b/schemas/tls.yml
index 3ecacb041a..8e7502eea3 100644
--- a/schemas/tls.yml
+++ b/schemas/tls.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: tls
   title: TLS
diff --git a/schemas/tracing.yml b/schemas/tracing.yml
index 8e23514e3d..c6d6a63348 100644
--- a/schemas/tracing.yml
+++ b/schemas/tracing.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: tracing
   title: Tracing
diff --git a/schemas/url.yml b/schemas/url.yml
index 1a69dec8d3..8c8209b7a4 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: url
   title: URL
diff --git a/schemas/user.yml b/schemas/user.yml
index ec15bc5f54..db0f994787 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: user
   title: User
diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml
index 2facf6eb0f..d8d17d3645 100644
--- a/schemas/user_agent.yml
+++ b/schemas/user_agent.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: user_agent
   title: User agent
diff --git a/schemas/vlan.yml b/schemas/vlan.yml
index 84c0457355..59536d0b1b 100644
--- a/schemas/vlan.yml
+++ b/schemas/vlan.yml
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
 - name: vlan
   title: VLAN
   group: 2
diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml
index c2af5f14f1..cb471086fd 100644
--- a/schemas/vulnerability.yml
+++ b/schemas/vulnerability.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: vulnerability
   title: Vulnerability
diff --git a/schemas/x509.yml b/schemas/x509.yml
index 0238d4576c..34cc1a4e60 100644
--- a/schemas/x509.yml
+++ b/schemas/x509.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 - name: x509
   title: x509 Certificate
@@ -15,6 +31,7 @@
   type: group
   reusable:
     top_level: false
+    order: 1
     expected:
       - file
       - at: threat.indicator
diff --git a/scripts/__init__.py b/scripts/__init__.py
index e69de29bb2..fae77611ff 100644
--- a/scripts/__init__.py
+++ b/scripts/__init__.py
@@ -0,0 +1,16 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
diff --git a/scripts/generator.py b/scripts/generator.py
index 31772f3c79..9c7fc56f15 100644
--- a/scripts/generator.py
+++ b/scripts/generator.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import argparse
 import glob
 import os
diff --git a/scripts/generators/__init__.py b/scripts/generators/__init__.py
index e69de29bb2..fae77611ff 100644
--- a/scripts/generators/__init__.py
+++ b/scripts/generators/__init__.py
@@ -0,0 +1,16 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py
index 840a0ad262..15ac9cc980 100644
--- a/scripts/generators/asciidoc_fields.py
+++ b/scripts/generators/asciidoc_fields.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 from functools import wraps
 import os.path as path
 
@@ -122,7 +139,7 @@ def save_asciidoc(f, text):
 
 TEMPLATE_DIR = path.join(path.dirname(path.abspath(__file__)), '../templates')
 template_loader = jinja2.FileSystemLoader(searchpath=TEMPLATE_DIR)
-template_env = jinja2.Environment(loader=template_loader)
+template_env = jinja2.Environment(loader=template_loader, keep_trailing_newline=True)
 
 # Rendering schemas
 
diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py
index f36eebad55..cab1e50d74 100644
--- a/scripts/generators/beats.py
+++ b/scripts/generators/beats.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 from os.path import join
 from collections import OrderedDict
 from generators import ecs_helpers
@@ -23,6 +40,8 @@ def generate(ecs_nested, ecs_version, out_dir):
             continue
 
         beats_field = ecs_helpers.dict_copy_keys_ordered(fieldset, allowed_fieldset_keys)
+        if 'default_field' not in beats_field:
+            beats_field['default_field'] = True
         beats_field['fields'] = fieldset_field_array(fieldset['fields'], df_allowlist, fieldset['prefix'])
         beats_fields.append(beats_field)
 
diff --git a/scripts/generators/beats_default_fields_allowlist.yml b/scripts/generators/beats_default_fields_allowlist.yml
index 6629ce6ca5..7eec6130a1 100644
--- a/scripts/generators/beats_default_fields_allowlist.yml
+++ b/scripts/generators/beats_default_fields_allowlist.yml
@@ -1,3 +1,19 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
 ---
 !!set
 # Note: other fields can be inserted as needed
diff --git a/scripts/generators/csv_generator.py b/scripts/generators/csv_generator.py
index e1f6bad89e..39e3ecae54 100644
--- a/scripts/generators/csv_generator.py
+++ b/scripts/generators/csv_generator.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import csv
 import sys
 
diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py
index fbf7f4a2a1..19197e56cb 100644
--- a/scripts/generators/ecs_helpers.py
+++ b/scripts/generators/ecs_helpers.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import glob
 import os
 import yaml
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index ceb631cb65..19cbf57bb4 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import copy
 import json
 import sys
@@ -12,7 +29,8 @@
     'constant_keyword': 'keyword',
     'wildcard': 'keyword',
     'version': 'keyword',
-    'match_only_text': 'text'
+    'match_only_text': 'text',
+    'flattened': 'object'
 }
 
 # Composable Template
@@ -231,7 +249,8 @@ def save_json(file, data):
     if sys.version_info >= (3, 0):
         open_mode = "w"
     with open(file, open_mode) as jsonfile:
-        jsonfile.write(json.dumps(data, indent=2, sort_keys=True))
+        json.dump(data, jsonfile, indent=2, sort_keys=True)
+        jsonfile.write('\n')
 
 
 def default_template_settings(ecs_version):
diff --git a/scripts/generators/intermediate_files.py b/scripts/generators/intermediate_files.py
index c085039b62..10c9a2466d 100644
--- a/scripts/generators/intermediate_files.py
+++ b/scripts/generators/intermediate_files.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import copy
 
 from schema import visitor
diff --git a/scripts/schema/__init__.py b/scripts/schema/__init__.py
index e69de29bb2..fae77611ff 100644
--- a/scripts/schema/__init__.py
+++ b/scripts/schema/__init__.py
@@ -0,0 +1,16 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index ca892b9f20..cc85ad5b4e 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import copy
 
 from generators import ecs_helpers
diff --git a/scripts/schema/exclude_filter.py b/scripts/schema/exclude_filter.py
index 5717ecfb6f..9ccbf25351 100644
--- a/scripts/schema/exclude_filter.py
+++ b/scripts/schema/exclude_filter.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 from schema import loader
 
 # This script should be run downstream of the subset filters - it takes
diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py
index 86fe5b760f..298b0d7dfa 100644
--- a/scripts/schema/finalizer.py
+++ b/scripts/schema/finalizer.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import copy
 import re
 
diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py
index a662622274..00fbf721e5 100644
--- a/scripts/schema/loader.py
+++ b/scripts/schema/loader.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import copy
 import glob
 import yaml
diff --git a/scripts/schema/subset_filter.py b/scripts/schema/subset_filter.py
index 8c91929f0d..f00dc11e09 100644
--- a/scripts/schema/subset_filter.py
+++ b/scripts/schema/subset_filter.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 from generators import intermediate_files
 from schema import cleaner, loader
diff --git a/scripts/schema/visitor.py b/scripts/schema/visitor.py
index 3c3d762bad..baf22f0ee5 100644
--- a/scripts/schema/visitor.py
+++ b/scripts/schema/visitor.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 def visit_fields(fields, fieldset_func=None, field_func=None):
     """
     This function navigates the deeply nested tree structure and runs provided
diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2
index 6a099f0a46..41d9a9cd11 100644
--- a/scripts/templates/field_details.j2
+++ b/scripts/templates/field_details.j2
@@ -1,4 +1,5 @@
-{# Title & Description -#}
+{# Title & Description
+-#}
 [[ecs-{{ fieldset['name'] }}]]
 === {{ fieldset['title'] }} Fields
 
@@ -104,11 +105,11 @@ Note also that the `{{ fieldset['name'] }}` fields may be used directly at the r
 
 Note also that the `{{ fieldset['name'] }}` fields are not expected to be used directly at the root of the events.
 
-{% endif %}{# if 'top_level' -#}
+{%- endif %}{# if 'top_level' -#}
 {% endif %}{# if 'reusable' #}
 
 
-{% if 'nestings' in fieldset -%}
+{%- if 'nestings' in fieldset -%}
 
 [[ecs-{{ fieldset['name'] }}-nestings]]
 [discrete]
@@ -143,7 +144,7 @@ Note also that the `{{ fieldset['name'] }}` fields are not expected to be used d
 |=====
 
 {% endif %}{# if 'nestings' #}
-{%- endif -%}{# if 'nestings' or 'reusable' in fieldset #}
+{%- endif %}{# if 'nestings' or 'reusable' in fieldset #}
 {%- if usage_doc %}
 
 {# Field Usage Table Header -#}
diff --git a/scripts/templates/field_values.j2 b/scripts/templates/field_values.j2
index 86576c6930..89d36782f2 100644
--- a/scripts/templates/field_values.j2
+++ b/scripts/templates/field_values.j2
@@ -1,4 +1,3 @@
-
 [[ecs-category-field-values-reference]]
 == {ecs} Categorization Fields
 
diff --git a/scripts/templates/fields.j2 b/scripts/templates/fields.j2
index 1f5ab65472..9c9154cafd 100644
--- a/scripts/templates/fields.j2
+++ b/scripts/templates/fields.j2
@@ -1,4 +1,3 @@
-
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
@@ -11,7 +10,7 @@ at the root of the event.
 All other field sets are defined as objects in {es}, under which
 all fields are defined.
 
-For a single page representation of all fields, please see the 
+For a single page representation of all fields, please see the
 {ecs_github_repo_link}/generated/csv/fields.csv[generated CSV of fields].
 
 [float]
@@ -26,4 +25,3 @@ For a single page representation of all fields, please see the
 |=====
 
 include::field-details.asciidoc[]
-
diff --git a/scripts/tests/__init__.py b/scripts/tests/__init__.py
index e69de29bb2..fae77611ff 100644
--- a/scripts/tests/__init__.py
+++ b/scripts/tests/__init__.py
@@ -0,0 +1,16 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
diff --git a/scripts/tests/test_asciidoc_fields.py b/scripts/tests/test_asciidoc_fields.py
index 1851fc95fe..cdd7b93c29 100644
--- a/scripts/tests/test_asciidoc_fields.py
+++ b/scripts/tests/test_asciidoc_fields.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 import sys
 import unittest
diff --git a/scripts/tests/test_ecs_helpers.py b/scripts/tests/test_ecs_helpers.py
index 79b554ad95..9d14677eed 100644
--- a/scripts/tests/test_ecs_helpers.py
+++ b/scripts/tests/test_ecs_helpers.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 import sys
 import unittest
diff --git a/scripts/tests/test_ecs_spec.py b/scripts/tests/test_ecs_spec.py
index 6ff6372579..a7a3d591c7 100644
--- a/scripts/tests/test_ecs_spec.py
+++ b/scripts/tests/test_ecs_spec.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 import sys
 import unittest
diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py
index cf9ba7da3e..127a0cc170 100644
--- a/scripts/tests/test_es_template.py
+++ b/scripts/tests/test_es_template.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 import sys
 import unittest
diff --git a/scripts/tests/unit/__init__.py b/scripts/tests/unit/__init__.py
index e69de29bb2..fae77611ff 100644
--- a/scripts/tests/unit/__init__.py
+++ b/scripts/tests/unit/__init__.py
@@ -0,0 +1,16 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
diff --git a/scripts/tests/unit/test_beats_generator.py b/scripts/tests/unit/test_beats_generator.py
index a433442557..bb421b2ac7 100644
--- a/scripts/tests/unit/test_beats_generator.py
+++ b/scripts/tests/unit/test_beats_generator.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 import sys
 from typing import OrderedDict
diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py
index f0384d4f53..ca47f9874b 100644
--- a/scripts/tests/unit/test_schema_cleaner.py
+++ b/scripts/tests/unit/test_schema_cleaner.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 import pprint
 import sys
diff --git a/scripts/tests/unit/test_schema_exclude_filter.py b/scripts/tests/unit/test_schema_exclude_filter.py
index 5b6cb5d6ad..9e714a197b 100644
--- a/scripts/tests/unit/test_schema_exclude_filter.py
+++ b/scripts/tests/unit/test_schema_exclude_filter.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 from schema import exclude_filter
 import mock
 import os
diff --git a/scripts/tests/unit/test_schema_finalizer.py b/scripts/tests/unit/test_schema_finalizer.py
index fd0c8d6118..707c7a22f6 100644
--- a/scripts/tests/unit/test_schema_finalizer.py
+++ b/scripts/tests/unit/test_schema_finalizer.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import os
 import pprint
 import sys
diff --git a/scripts/tests/unit/test_schema_loader.py b/scripts/tests/unit/test_schema_loader.py
index b9b263f5df..f74e50eb4c 100644
--- a/scripts/tests/unit/test_schema_loader.py
+++ b/scripts/tests/unit/test_schema_loader.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import mock
 import os
 import pprint
diff --git a/scripts/tests/unit/test_schema_subset_filter.py b/scripts/tests/unit/test_schema_subset_filter.py
index e7ae5fd211..0f1f7975bc 100644
--- a/scripts/tests/unit/test_schema_subset_filter.py
+++ b/scripts/tests/unit/test_schema_subset_filter.py
@@ -1,3 +1,20 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 import mock
 import os
 import pprint
diff --git a/stages.html b/stages.html
index 2269bcd9dc..03d3844e2d 100644
--- a/stages.html
+++ b/stages.html
@@ -26,7 +26,7 @@
 
 <h1>ECS Proposal Stages</h1>
 
-<p>These are the stages that an individual RFC advances through before being released for general availability in the Elastic Common Schema (ECS). See the <a href="https://github.com/elastic/ecs/blob/master/rfcs/PROCESS.md">Contributing Guide</a> for broader details about contributing changes to ECS through the RFC process.
+<p>These are the stages that an individual RFC advances through before being released for general availability in the Elastic Common Schema (ECS). See the <a href="https://github.com/elastic/ecs/blob/main/rfcs/PROCESS.md">Contributing Guide</a> for broader details about contributing changes to ECS through the RFC process.
 
 <table>
   <thead>
diff --git a/usage-example/generated/elasticsearch/6/template.json b/usage-example/generated/elasticsearch/6/template.json
index 2f598e8f9b..7501b7f94e 100644
--- a/usage-example/generated/elasticsearch/6/template.json
+++ b/usage-example/generated/elasticsearch/6/template.json
@@ -1155,4 +1155,4 @@
       "refresh_interval": "2s"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/usage-example/generated/elasticsearch/7/template.json b/usage-example/generated/elasticsearch/7/template.json
index c632cfda07..ee4a84b7f6 100644
--- a/usage-example/generated/elasticsearch/7/template.json
+++ b/usage-example/generated/elasticsearch/7/template.json
@@ -1153,4 +1153,4 @@
       "refresh_interval": "2s"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/version b/version
index e4be07b065..761c136f26 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-8.0.0-dev
+8.1.0-dev