ContextQMD
Back to Beats

Common fields [exported-fields-common]

docs/reference/auditbeat/exported-fields-common.md

9.4.02.7 KB
Original Source

% This file is generated! See dev-tools/mage/generate_fields_docs.go

Common fields [exported-fields-common]

Contains common fields available in all event types.

file [_file]

File attributes.

file.setuid : Set if the file has the setuid bit set. Omitted otherwise.

type: boolean

example: True

file.setgid : Set if the file has the setgid bit set. Omitted otherwise.

type: boolean

example: True

file.origin : An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

type: keyword

file.origin.text : This is an analyzed field that is useful for full text search on the origin data.

type: text

selinux [_selinux]

The SELinux identity of the file.

file.selinux.user : The owner of the object.

type: keyword

file.selinux.role : The object's SELinux role.

type: keyword

file.selinux.domain : The object's SELinux domain or type.

type: keyword

file.selinux.level : The object's SELinux level.

type: keyword

example: s0

file.extended_attributes {applies_to}stack: preview 9.2.0 : Extended file attributes. Contains NTFS Extended Attributes (EAs) on Windows systems. Extended Attributes are name-value pairs that can be attached to files and directories to store additional metadata beyond standard file attributes. The object contains key-value pairs where keys are EA names and values are their corresponding values. This field is only populated on Windows and only when the file has extended attributes.

type: flattened

user [_user]

User information.

audit [_audit]

Audit user information.

user.audit.id : Audit user ID.

type: keyword

user.audit.name : Audit user name.

type: keyword

filesystem [_filesystem]

Filesystem user information.

user.filesystem.id : Filesystem user ID.

type: keyword

user.filesystem.name : Filesystem user name.

type: keyword

group [_group]

Filesystem group information.

user.filesystem.group.id : Filesystem group ID.

type: keyword

user.filesystem.group.name : Filesystem group name.

type: keyword

saved [_saved]

Saved user information.

user.saved.id : Saved user ID.

type: keyword

user.saved.name : Saved user name.

type: keyword

group [_group]

Saved group information.

user.saved.group.id : Saved group ID.

type: keyword

user.saved.group.name : Saved group name.

type: keyword