-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
Copy pathfields.common.yml
109 lines (101 loc) · 2.81 KB
/
fields.common.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
- key: common
title: Common
description: >
Contains common fields available in all event types.
fields:
- name: file
type: group
description: File attributes.
fields:
- name: setuid
type: boolean
example: true
description: Set if the file has the `setuid` bit set. Omitted otherwise.
- name: setgid
type: boolean
example: true
description: Set if the file has the `setgid` bit set. Omitted otherwise.
- name: origin
type: keyword
description: >
An array of strings describing a possible external origin for
this file. For example, the URL it was downloaded from. Only
supported in macOS, via the kMDItemWhereFroms attribute.
Omitted if origin information is not available.
multi_fields:
- name: text
type: text
description: >
This is an analyzed field that is useful for full text search
on the origin data.
- name: selinux
type: group
description: The SELinux identity of the file.
fields:
- name: user
type: keyword
description: The owner of the object.
- name: role
type: keyword
description: The object's SELinux role.
- name: domain
type: keyword
description: The object's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The object's SELinux level.
- name: user
type: group
description: User information.
fields:
- name: audit
type: group
description: Audit user information.
fields:
- name: id
type: keyword
description: Audit user ID.
- name: name
type: keyword
description: Audit user name.
- name: filesystem
type: group
description: Filesystem user information.
fields:
- name: id
type: keyword
description: Filesystem user ID.
- name: name
type: keyword
description: Filesystem user name.
- name: group
type: group
description: Filesystem group information.
fields:
- name: id
type: keyword
description: Filesystem group ID.
- name: name
type: keyword
description: Filesystem group name.
- name: saved
type: group
description: Saved user information.
fields:
- name: id
type: keyword
description: Saved user ID.
- name: name
type: keyword
description: Saved user name.
- name: group
type: group
description: Saved group information.
fields:
- name: id
type: keyword
description: Saved group ID.
- name: name
type: keyword
description: Saved group name.