Skip to content

Latest commit

 

History

History
44 lines (37 loc) · 3.75 KB

auditbeat.md

File metadata and controls

44 lines (37 loc) · 3.75 KB
Raw

Auditbeat use case

ECS usage in Auditbeat.

Auditbeat fields

Field Description Level Type Example
event.module Auditbeat module name. core keyword mysql
file.* File attributes.
file.path The path to the file. extended keyword
file.target_path The target path for symlinks. extended keyword
file.type The file type (file, dir, or symlink). extended keyword
file.device The device. extended keyword
file.inode The inode representing the file in the filesystem. extended keyword
file.uid The user ID (UID) or security identifier (SID) of the file owner. extended keyword
file.owner The file owner's username. extended keyword
file.gid The primary group ID (GID) of the file. extended keyword
file.group The primary group name of the file. extended keyword
file.mode The mode of the file in octal representation. extended keyword 416
file.size The file size in bytes (field is only added when type is file). extended long
file.mtime The last modified time of the file (time when content was modified). extended date
file.ctime The last change time of the file (time when metadata was changed). extended date
hash.* Hash fields used in Auditbeat.
The hash field contains cryptographic hashes of data associated with the event (such as a file). The keys are names of cryptographic algorithms. The values are encoded as hexidecimal (lower-case).
All fields in user can have one or multiple entries.
hash.blake2b_256 BLAKE2b-256 hash of the file. (use case) keyword
hash.blake2b_384 BLAKE2b-384 hash of the file. (use case) keyword
hash.blake2b_512 BLAKE2b-512 hash of the file. (use case) keyword
hash.md5 MD5 hash. (use case) keyword
hash.sha1 SHA-1 hash. (use case) keyword
hash.sha224 SHA-224 hash (SHA-2 family). (use case) keyword
hash.sha256 SHA-256 hash (SHA-2 family). (use case) keyword
hash.sha384 SHA-384 hash (SHA-2 family). (use case) keyword
hash.sha512 SHA-512 hash (SHA-2 family). (use case) keyword
hash.sha512_224 SHA-512/224 hash (SHA-2 family). (use case) keyword
hash.sha512_256 SHA-512/256 hash (SHA-2 family). (use case) keyword
hash.sha3_224 SHA3-224 hash (SHA-3 family). (use case) keyword
hash.sha3_256 SHA3-256 hash (SHA-3 family). (use case) keyword
hash.sha3_384 SHA3-384 hash (SHA-3 family). (use case) keyword
hash.sha3_512 SHA3-512 hash (SHA-3 family). (use case) keyword
hash.xxh64 XX64 hash of the file. (use case) keyword