BOTES Fields

This page contains list of original and ECS matched fields for each Data sourcetype.

Detailed Excel and CSV files can be downloaded here :

BOTES Field details (xlsx) : https://botes.s3-us-west-1.amazonaws.com/botes-summary/excel/BOTES-Fields-Details.xlsx

Field details per sourcetype (CSV)

Download Link

Fgt fields

fgt_event

Original Field Name

ECS Field Name

hostname

dhcp.client.hostname

ip

dhcp.source.ip

lease

dhcp.client.lease

mac

dhcp.source.mac

dhcp_msg

dhcp.message

total

dhcp.total.ip

used

dhcp.used.ip

state

event.action

vendor_action

event.action

eventtype

event.category

time

event.created

logdesc

event.description

logid

event.id

message

event.original

status

event.outcome

reason

event.reason

sn

event.sequence

date_zone

event.timezone

level

log.level

subtype

log.subtype

type

log.type

msg

message

bandwidth

network.bandwidth

devname

observer.hostname

devid

observer.id

host

observer.ip

profile

threat.profile.name

count

threat.quarantine.count

product

observer.type

vendor

observer.vendor

interface

source.interface

ui

source.user.interface

src_user

source.user.name

user

source.user.name

fgt_traffic

Original Field Name

ECS Field Name

craction

threat.reputation.id

crlevel

client.reputation.level

crscore

client.reputation.score

rcvdbyte

destination.bytes

dstintf

destination.interface

dstip

destination.ip

tranip

destination.nat.ip

tranport

destination.nat.port

rcvdpkt

destination.packets

dstport

destination.port

eventtype

event.category

time

event.created

logid

event.id

message

event.original

vendor_action

event.outcome

date_zone

event.timezone

mastersrcmac

host.master.mac

level

log.level

subtype

log.subtype

type

log.type

bytes

network.bytes

proto

network.iana_number

trandisp

network.nat.type

packets

network.packets

service

network.protocol

duration

network.session.duration

sessionid

network.session.id

transport

network.transport

countav

threat.antivirus.count

appcat

threat.application.category

appact

threat.application.control.action

countapp

threat.application.control.logs

appid

threat.application.id

applist

threat.application.list

app

threat.application.name

apprisk

threat.application.risk

devname

observer.hostname

devid

observer.id

host

observer.ip

countips

threat.ips.count

utmaction

threat.action.outcome

policyid

threat.policy.id

poluuid

threat.policy.uuid

product

observer.type

vendor

observer.vendor

countweb

threat.webfilter.count

sentbyte

source.bytes

devtype

source.device.type

srcname

source.hostname

srcintf

source.interface

srcip

source.ip

srcmac

source.mac

transip

source.nat.ip

vendor_transport

source.nat.port

osname

source.os.name

osversion

source.os.version

sentpkt

source.packets

srcport

source.port

user

user.name

fgt_utm

Original Field Name

ECS Field Name

crlevel

client.reputation.level

crscore

client.reputation.score

rcvdbyte

destination.bytes

dstintf

destination.interface

dstip

destination.ip

dstport

destination.port

eventtype

event.category

time

event.created

msg

event.description

logid

event.id

message

event.original

vendor_action

event.outcome

method

threat.risk.method

severity

log.level

date_zone

event.timezone

analyticssubmit

file.analysis

analyticscksum

file.hash.sha256

file_hash

file.hash.sha256

filename

file.name

file_path

file.path

reqtype

http.request.type

level

log.level

subtype

log.subtype

type

log.type

bytes

network.bytes

direction

network.direction

proto

network.iana_number

service

network.protocol

sessionid

network.session.id

appcat

threat.application.category

appid

threat.application.id

applist

threat.application.list

app

threat.application.name

apprisk

threat.application.risk

attackid

threat.attack.id

devname

observer.hostname

devid

observer.id

ids_type

observer.ids.type

incidentserialno

threat.incident.id

host

observer.ip

policyid

threat.policy.id

profile

threat.profile.name

catdesc

threat.proxy.category.desc

cat

threat.proxy.category.id

quarskip

threat.quarantine.explain

attack

threat.signature.name

ref

threat.signature.reference

product

observer.type

vendor

observer.vendor

virusid

threat.virus.id

virus

threat.virus.name

dtype

threat.virus.type

sentbyte

source.bytes

srcintf

source.interface

srcip

source.ip

srcport

source.port

hostname

url.domain

url

url.full

vendor_url

url.path

user

user.name

http_user_agent

user_agent.original

IIS fields

IIS

Original Field Name

ECS Field Name

c_ip

client.ip

cs_method

http.request.method

cs_Referer

http.request.referrer

cs_uri_query

url.query

cs_uri_stem

url.path

cs_User_Agent

user_agent.original

cs_username

client.user.name

date_zone

event.timezone

host

source.hostname

message

event.original

sc_status

http.response.status_code

sc_substatus

http.response.substatus_code

sc_win32_status

winlog.win32.status

s_ip

event.source.ip

s_port

server.port

time

event.created

time_taken

http.session.duration

Nessus fields

Nessus:Scan

Original Field Name

ECS Field Name

control

nessus.control.flag

count

nessus.scan.count

edit_allowed

nessus.edit.flag

folder_id

nessus.folder.id

hasaudittrail

nessus.audittrail.flag

haskb

nessus.kb.flag

host

observer.hostname

hostcount

nessus.host.count

host_end

nessus.scan.end

host_id

nessus.host.id

host-ip

destination.ip

hostname

destination.hostname

host_start

nessus.scan.start

mac-address

destination.mac

name

nessus.scan.name

netbios-name

destination.hostname

object_id

nessus.object.id

operating-system

destination.os.full

pci-can-upload

nessus.pciupload.flag

plugin_family

nessus.plugin.family

plugin_id

nessus.plugin.id

plugin_name

nessus.plugin.name

policy

nessus.policy.name

ports{}.port

destination.port

ports{}.protocol

network.protocol

ports{}.transport

network.transport

message

event.original

scanner_name

nessus.scanner.name

scan_start

nessus.scan.start

scan_type

nessus.scan.type

severity

event.severity

severity_id

log.level

severity_index

nessus.severity.index

sid

nessus.security.id

status

nessus.scan.status

targets

nessus.targets

time

event.created

user_permissions

nessus.user.permissions

uuid

nessus.uuid

vuln_index

nessus.vuln.index

Stream fields

Stream:DHCP

Original Field Name

ECS Field Name

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

chaddr

dhcp.client.mac

ciaddr

dhcp.client.ip

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

dns_server

dhcp.offer.dns

endtime

network.session.end

eventtype

event.category

giaddr

dhcp.relay.ip

host

dhcp.server.hostname

ip_lease_time

dhcp.client.lease

opcode

dhcp.message

protocol

network.protocol

message

event.original

router

dhcp.offer.gateway

siaddr

dhcp.bootstrap.server.ip

src_ip

source.ip

src_mac

source.mac

src_port

source.port

subnetmask

dhcp.offer.subnetmask

time

event.created

transaction_id

dhcp.transaction.id

transport

network.transport

yiaddr

dhcp.offer.ip

Stream:DNS

Original Field Name

ECS Field Name

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

duration

network.session.duration

endtime

network.session.end

eventtype

event.category

host

host.hostname

host_addr{}

dns.answers.name

hostname{}

dns.answers.data

message_type

dns.type

name{}

dns.question.name

protocol

network.protocol

query

dns.answers.data

message

event.original

record_type

dns.answers.type

reply_code

dns.response_code

response_time

dns.response.time

reverse_addr{}

dns.answers.reverse

src_ip

source.ip

src_mac

source.mac

src_port

source.port

time

event.created

time_taken

network.session.duration

transaction_id

dns.id

transport

network.transport

ttl{}

dns.answers.ttl

Stream:HTTP

Original Field Name

ECS Field Name

accept

http.request.accept

accept{}

http.request.accept

accept_language

http.request.accept_language

ack_packets_in

client.packets.ack

ack_packets_out

server.packets.ack

age

http.response.age

allow

http.header.allow

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

cached

http.cached

cached{}

http.cached

canceled

http.canceled.responses

c_ip

client.ip

connection_type

http.header.connection

connection_type{}

http.header.connection

content_disposition

http.response.content_dispostion

content_disposition{}

http.response.content_dispostion

content_encoding

http.header.content_encoding

content_location

http.header.content_location

cookie

http.request.cookie

cookie{}

http.request.cookie

cs_cache_control

http.request.cache_control

cs_content_length

http.request.content_length

cs_content_length{}

http.request.content_length

cs_content_type

http.request.content_type

cs_content_type{}

http.request.content_type

cs_date

http.request.data

cs_date{}

http.request.data

cs_pragma

http.request.pragma

cs_version

http.version

cs_version{}

http.version

data_packets_in

client.packets.data

data_packets_out

server.packets.data

date_zone

event.timezone

dest_content

http.response.payload

dest_headers

http.response.headers

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

endtime

network.session.end

etag

http.response.etag

eventtype

event.category

expires

http.response.expires

http_comment

http.response.status

http_content_length

http.response.content_length

http_content_type

http.response.content_type

http_method

http.request.method

http_method{}

http.request.method

http_referrer

http.request.referrer

http_referrer{}

http.request.referrer

http_user_agent

user_agent.original

http_user_agent{}

user_agent.original

location

http.header.content_location

missing_packets_in

client.packets.missing

missing_packets_out

server.packets.missing

network_interface

destination.interface

packets

network.packets

packets_in

destination.packets

packets_out

source.packets

part_filename

file.name

part_filename{}

file.name

protocol

network.protocol

message

event.original

refused

http.request.refused

request

http.request.original

request{}

http.request.original

sc_cache_control

http.response.cache_control

sc_date

http.response.data

sc_pragma

http.response.pragma

server

http.response.server

set_cookie

http.response.cookie

site

url.domain

site{}

url.domain

src_content

http.request.payload

src_headers

http.request.headers

src_ip

source.ip

src_mac

source.mac

src_port

source.port

status

http.response.status_code

status{}

http.response.status_code

time

event.created

time_taken

network.session.duration

transfer_encoding

http.response.transfer_encoding

transport

network.transport

uri

url.original

uri_parm

url.fragment

uri_path

url.path

uri_query

url.query

url

url.full

user

user.name

Stream:ICMP

Original Field Name

ECS Field Name

bytes

network.bytes

bytes_in

destination.bytes

bytes_out

source.bytes

checksum

icmp.checksum

code

icmp.code.id

code_string

icmp.code.name

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

endtime

network.session.end

eventtype

event.category

id

icmp.transaction.id

message

event.original

sequence

icmp.sequence.id

src_ip

source.ip

src_mac

source.mac

time

event.created

time_taken

network.session.duration

type

icmp.type.id

type_string

icmp.type.name

Stream:IP

Original Field Name

ECS Field Name

bytes

network.bytes

bytes_in

destination.bytes

bytes_out

source.bytes

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

endtime

network.session.end

eventtype

event.category

fragment_count

network.ip.fragment

packets

network.packets

packets_in

destination.packets

packets_out

source.packets

protocol

network.transport

protoid

network.iana_number

message

event.original

src_ip

source.ip

src_mac

source.mac

time

event.created

tos

network.ip.tos

version

network.ip.version

Stream:LDAP

Original Field Name

ECS Field Name

assertion_description{}

ldap.assertion.description

assertion_value{}

ldap.assertion.value

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

contains_sasl

ldap.sasl.enable

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

elements

ldap.original.elements

endtime

network.session.end

eventtype

event.category

message_id

ldap.transaction.id

message_type

ldap.message.type

message

event.original

src_ip

source.ip

src_mac

source.mac

src_port

source.port

time

event.created

transport

network.transport

Stream:MAPI

Original Field Name

ECS Field Name

auth_type

mapi.auth.type

auth_type{}

mapi.auth.type

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

domain

user.domain

endtime

network.session.end

eventtype

event.category

login

user.name

login_server

server.user.name

message

event.original

src_ip

source.ip

src_mac

source.mac

src_port

source.port

time

event.created

time_taken

network.session.duration

transport

network.transport

Stream:SIP

Original Field Name

ECS Field Name

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

callee_user_phone

sip.callee.user_phone

caller_user_phone

sip.caller.user_phone

contact

sip.contact.header

cseq

sip.sequence.id

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

endtime

network.session.end

eventtype

event.category

from

sip.from

method

sip.method

message

event.original

request_call_id

sip.call.id

src_ip

source.ip

src_mac

source.mac

src_port

source.port

time

event.created

time_taken

network.session.duration

to

sip.to

transport

network.transport

uri

sip.uri

via

sip.via

Stream:SMB

Original Field Name

ECS Field Name

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

command

smb.header.command

command{}

smb.header.command

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

dialect{}

smb.version

domain

user.domain

endtime

network.session.end

eventtype

event.category

filename

file.name

filename{}

file.name

filesize

file.size

filesize{}

file.size

login

user.name

native_os

client.os.full

native_os{}

client.os.full

nt_status

smb.header.error_status

nt_status{}

smb.header.error_status

path

file.path

message

event.original

search_attributes

smb.search.attributes

search_pattern

smb.search.pattern

service

smb.service.type

service{}

smb.service.type

src_ip

source.ip

src_mac

source.mac

src_port

source.port

time

event.created

time_taken

network.session.duration

transport

network.transport

user_id

user.id

user_id{}

user.id

Stream:SNMP

Original Field Name

ECS Field Name

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

community{}

snmp.community.name

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

endtime

network.session.end

eventtype

event.category

method{}

snmp.request.type

packets

network.packets

packets_in

destination.packets

packets_out

source.packets

message

event.original

request_id

snmp.transaction.id

src_ip

source.ip

src_mac

source.mac

src_port

source.port

time

event.created

time_taken

network.session.duration

transport

network.transport

varbind_list{}.oid

snmp.oid.list

version{}

snmp.version

Stream:TCP

Original Field Name

ECS Field Name

ack_packets_in

client.packets.ack

ack_packets_out

server.packets.ack

bytes

network.bytes

bytes_in

server.bytes

bytes_out

client.bytes

canceled

http.canceled.responses

data_packets_in

client.packets.data

data_packets_out

server.packets.data

date_zone

event.timezone

dest_ip

destination.ip

dest_mac

destination.mac

dest_port

destination.port

endtime

network.session.end

eventtype

event.category

missing_packets_in

client.packets.missing

missing_packets_out

server.packets.missing

packets

network.packets

packets_in

destination.packets

packets_out

source.packets

message

event.original

refused

http.request.refused

src_ip

source.ip

src_mac

source.mac

src_port

source.port

ssl_cert_md5

tls.fingerprint.md5

ssl_cert_self_signed

tls.certificate.self_signed

ssl_cert_sha1

tls.fingerprint.sha1

ssl_cert_sha256

tls.fingerprint.sha256

ssl_cipher_id

tls.cipher.id

ssl_cipher_name

tls.cipher.name

ssl_client_cipher_list{}

tls.client.cipher.list

ssl_client_cipher_names{}

tls.client.cipher.name

ssl_client_compression_methods{}

tls.client.compression_method

ssl_client_hello_version

tls.client.hello.version

ssl_compression_method

tls.negociated.compression_method

ssl_issuer

tls.issuer.dn

ssl_issuer_common_name

tls.issuer.cn

ssl_issuer_country

tls.issuer.country

ssl_issuer_email

tls.issuer.email

ssl_issuer_locality

tls.issuer.locality

ssl_issuer_organization

tls.issuer.organization

ssl_issuer_state

tls.issuer.state

ssl_issuer_unit

tls.issuer.unit

ssl_publickey_algorithm

tls.publickey.algorithm

ssl_publickey_bit_len

tls.publickey.length

ssl_serial

tls.serial.number

ssl_signature_algorithm

tls.signature.algorithm

ssl_subject

tls.subject.dn

ssl_subject_common_name

tls.subject.cn

ssl_subject_country

tls.subject.country

ssl_subject_locality

tls.subject.locality

ssl_subject_organization

tls.subject.organization

ssl_subject_state

tls.subject.state

ssl_subject_unit

tls.subject.unit

ssl_validity_end

tls.validity.end

ssl_validity_start

tls.validity.start

ssl_version

tls.version

tcp_status

tcp.state

time

event.created

time_taken

network.session.duration

transport

network.transport

Suricata fields

Suricata

Original Field Name

ECS Field Name

flow.bytes_toclient

destination.bytes

in_iface

destination.interface

dest_ip

destination.ip

flow.pkts_toclient

destination.packets

dest_port

destination.port

answer

dns.answers

dns.rcode

dns.response_code

dns.type

dns.type

dns.rdata

dns.answers.data

dns.rrname

dns.answers.name

dns.rrtype

dns.answers.type

dns.id

dns.id

dns.ttl

dns.answers.ttl

alert.category

event.category

event_type

event.category

eventtype

event.category

time

event.created

message

event.original

alert.action

event.outcome

alert.severity

event.severity

date_zone

event.timezone

fileinfo.filename

file.path

fileinfo.size

file.size

http.http_content_type

http.response.content_type

http.redirect

http.redirect.url

http.http_method

http.request.method

http.http_refer

http.request.referrer

http.length

http.response.content_length

http.status

http.response.status_code

http.protocol

http.version

http.xff

http.xff

icmp_code

icmp.code.id

icmp_type

icmp.type.id

app_proto

network.protocol

flow.age

network.session.duration

flow.end

network.session.end

flow_id

network.session.id

flow.reason

network.session.reason

flow.start

network.session.start

flow.state

network.session.state

proto

network.transport

alert.signature_id

threat.attack.id

fileinfo.state

threat.file.state

fileinfo.stored

threat.file.stored

host

observer.hostname

ids_type

observer.ids.type

alert.gid

threat.signature.gid

alert.signature

threat.signature.name

alert.rev

threat.signature.revision

product

observer.type

vendor

observer.vendor

flow.bytes_toserver

source.bytes

flow.pkts_toserver

source.bytes

src_ip

source.ip

src_port

source.port

ssh.client.software_version

ssh.client.software

ssh.client.proto_version

ssh.client.version

ssh.server.software_version

ssh.server.software

ssh.server.proto_version

ssh.server.version

stats.capture.kernel_drops

suricata.eve.stats.capture.kernel_drops

stats.capture.kernel_packets

suricata.eve.stats.capture.kernel_packets

stats.decoder.avg_pkt_size

suricata.eve.stats.decoder.avg_pkt_size

stats.decoder.bytes

suricata.eve.stats.decoder.bytes

stats.decoder.erspan

suricata.eve.stats.decoder.erspan

stats.decoder.ethernet

suricata.eve.stats.decoder.ethernet

stats.decoder.gre

suricata.eve.stats.decoder.gre

stats.decoder.icmpv4

suricata.eve.stats.decoder.icmpv4

stats.decoder.icmpv6

suricata.eve.stats.decoder.icmpv6

stats.decoder.invalid

suricata.eve.stats.decoder.invalid

stats.decoder.ipraw.invalid_ip_version

suricata.eve.stats.decoder.ipraw.invalid_ip_version

stats.decoder.ipv4

suricata.eve.stats.decoder.ipv4

stats.decoder.ipv4_in_ipv6

suricata.eve.stats.decoder.ipv4_in_ipv6

stats.decoder.ipv6

suricata.eve.stats.decoder.ipv6

stats.decoder.ipv6_in_ipv6

suricata.eve.stats.decoder.ipv6_in_ipv6

stats.decoder.ltnull.pkt_too_small

suricata.eve.stats.decoder.ltnull.pkt_too_small

stats.decoder.ltnull.unsupported_type

suricata.eve.stats.decoder.ltnull.unsupported_type

stats.decoder.max_pkt_size

suricata.eve.stats.decoder.max_pkt_size

stats.decoder.mpls

suricata.eve.stats.decoder.mpls

stats.decoder.null

suricata.eve.stats.decoder.null

stats.decoder.pkts

suricata.eve.stats.decoder.pkts

stats.decoder.ppp

suricata.eve.stats.decoder.ppp

stats.decoder.pppoe

suricata.eve.stats.decoder.pppoe

stats.decoder.raw

suricata.eve.stats.decoder.raw

stats.decoder.sctp

suricata.eve.stats.decoder.sctp

stats.decoder.sll

suricata.eve.stats.decoder.sll

stats.decoder.tcp

suricata.eve.stats.decoder.tcp

stats.decoder.teredo

suricata.eve.stats.decoder.teredo

stats.decoder.udp

suricata.eve.stats.decoder.udp

stats.decoder.vlan

suricata.eve.stats.decoder.vlan

stats.decoder.vlan_qinq

suricata.eve.stats.decoder.vlan_qinq

stats.defrag.ipv4.fragments

suricata.eve.stats.defrag.ipv4.fragments

stats.defrag.ipv4.reassembled

suricata.eve.stats.defrag.ipv4.reassembled

stats.defrag.ipv4.timeouts

suricata.eve.stats.defrag.ipv4.timeouts

stats.defrag.ipv6.fragments

suricata.eve.stats.defrag.ipv6.fragments

stats.defrag.ipv6.reassembled

suricata.eve.stats.defrag.ipv6.reassembled

stats.defrag.ipv6.timeouts

suricata.eve.stats.defrag.ipv6.timeouts

stats.defrag.max_frag_hits

suricata.eve.stats.defrag.max_frag_hits

stats.detect.alert

suricata.eve.stats.detect.alert

stats.dns.memcap_global

suricata.eve.stats.dns.memcap_global

stats.dns.memcap_state

suricata.eve.stats.dns.memcap_state

stats.dns.memuse

suricata.eve.stats.dns.memuse

stats.flow.emerg_mode_entered

suricata.eve.stats.flow.emerg_mode_entered

stats.flow.emerg_mode_over

suricata.eve.stats.flow.emerg_mode_over

stats.flow.memcap

suricata.eve.stats.flow.memcap

stats.flow.memuse

suricata.eve.stats.flow.memuse

stats.flow.spare

suricata.eve.stats.flow.spare

stats.flow.tcp_reuse

suricata.eve.stats.flow.tcp_reuse

stats.flow_mgr.closed_pruned

suricata.eve.stats.flow_mgr.closed_pruned

stats.flow_mgr.est_pruned

suricata.eve.stats.flow_mgr.est_pruned

stats.flow_mgr.new_pruned

suricata.eve.stats.flow_mgr.new_pruned

stats.http.memcap

suricata.eve.stats.http.memcap

stats.http.memuse

suricata.eve.stats.http.memuse

stats.stream.3whs_ack_in_wrong_dir

suricata.eve.stats.stream.3whs_ack_in_wrong_dir

stats.stream.3whs_async_wrong_seq

suricata.eve.stats.stream.3whs_async_wrong_seq

stats.stream.3whs_right_seq_wrong_ack_evasion

suricata.eve.stats.stream.3whs_right_seq_wrong_ack_evasion

stats.tcp.invalid_checksum

suricata.eve.stats.tcp.invalid_checksum

stats.tcp.memuse

suricata.eve.stats.tcp.memuse

stats.tcp.no_flow

suricata.eve.stats.tcp.no_flow

stats.tcp.pseudo

suricata.eve.stats.tcp.pseudo

stats.tcp.pseudo_failed

suricata.eve.stats.tcp.pseudo_failed

stats.tcp.reassembly_gap

suricata.eve.stats.tcp.reassembly_gap

stats.tcp.reassembly_memuse

suricata.eve.stats.tcp.reassembly_memuse

stats.tcp.rst

suricata.eve.stats.tcp.rst

stats.tcp.segment_memcap_drop

suricata.eve.stats.tcp.segment_memcap_drop

stats.tcp.sessions

suricata.eve.stats.tcp.sessions

stats.tcp.ssn_memcap_drop

suricata.eve.stats.tcp.ssn_memcap_drop

stats.tcp.stream_depth_reached

suricata.eve.stats.tcp.stream_depth_reached

stats.tcp.syn

suricata.eve.stats.tcp.syn

stats.tcp.synack

suricata.eve.stats.tcp.synack

stats.uptime

suricata.eve.stats.uptime

tcp.ack

tcp.ack

tcp.tcp_flags_ts

tcp.client.flag.hex

tcp_flag_to_server

tcp.client.flag.name

tcp.cwr

tcp.cwr

tcp.ecn

tcp.ecn

tcp.fin

tcp.fin

tcp.tcp_flags

tcp.flag.hex

tcp_flag

tcp.flag.name

tcp.psh

tcp.psh

tcp.rst

tcp.rst

tcp.tcp_flags_tc

tcp.server.flag.hex

tcp_flag_to_client

tcp.server.flag.name

tcp.state

tcp.state

tcp.syn

tcp.syn

tls.fingerprint

tls.fingerprint.sha1

tls.issuerdn

tls.issuer.dn

ssl_issuer_email

tls.issuer.email

ssl_issuer_locality

tls.issuer.locality

ssl_issuer_organization

tls.issuer.organization

ssl_serial

tls.serial.number

tls.sni

tls.sni

tls.subject

tls.subject.dn

ssl_subject_email

tls.subject.email

ssl_subject_locality

tls.subject.locality

ssl_subject_organization

tls.subject.organization

tls.version

tls.version

http.hostname

url.domain

http.url

url.path

http.http_user_agent

user_agent.original

WinEvent fields

WinEventLog:Application

Original Field Name

ECS Field Name

Cab_Id

winlog.cab_id

ComputerName

winlog.computer_name

date_zone

event.timezone

dvc_nt_host

host.hostname

EventCode

event.code

Event_Name

winlog.name

EventType

event.category

Hashed_bucket

winlog.hashed.bucket

HRESULT

winlog.hresult

Internal_Timing_Sequence

winlog.esent.sequence

Keywords

winlog.keywords

LogName

event.category

OpCode

winlog.opcode

P1

winlog.problem.signature

P2

winlog.problem.signature

P3

winlog.problem.signature

P4

winlog.problem.signature

P5

winlog.problem.signature

P6

winlog.problem.signature

P7

winlog.problem.signature

P8

winlog.problem.signature

P9

winlog.problem.signature

P10

winlog.problem.signature

message

event.original

Rechecking_for_solution

winlog.checksolution.flag

RecordNumber

event.sequence

Report_Id

winlog.report.id

Report_Status

winlog.wer.status

Response

winlog.report.response

Revived_Cache

winlog.esent.revived_cache

Saved_Cache

winlog.esent.saved_cache

Sid

winlog.object.identifier

SidType

winlog.identifier.type

SourceName

event.provider

TaskCategory

event.module

time

event.created

Type

log.level

User

user.name

WinEventLog:Security

Original Field Name

ECS Field Name

Accesses

winlog.access.permissions

Access_Mask

winlog.access.mask

Access_Reasons

winlog.access.reasons

Account_Domain

user.domain

Account_Name

user.name

Additional_Information

winlog.additional.info

Advanced_Options

winlog.boot_legacy.flag

Authentication_Package

winlog.auth.logon

Authentication_Package_Name

winlog.auth.loaded

ComputerName

winlog.computer_name

Configuration_Access_Policy

winlog.boot.policy

Creator_Process_ID

process.ppid

Creator_Process_Name

process.pname

date_zone

event.timezone

Desired_Access

winlog.access.desired

Disable_Integrity_Checks

winlog.integrity_checks.flag

dvc_nt_host

host.hostname

Elevated_Token

winlog.elevated_token.flag

Error_Code

error.code

EventCode

event.code

EventType

event.category

Exit_Status

process.exit.status

File_Name

file.path

Flight_Signing

winlog.flight_signing.flag

Group_Domain

user.group.domain

Group_Name

user.group.name

Handle_ID

winlog.handle_id

HyperVisor_Debugging

winlog.hypervisor_debug.flag

HyperVisor_Launch_Type

winlog.hypervisor_launch_type

HyperVisor_Load_Options

winlog.hypervisor_load_options

Impersonation_Level

winlog.impersonation

Kernel_Debugging

winlog.kernel_debug.flag

Key_Length

winlog.ntlm.key_length

Keywords

winlog.keywords

Linked_Logon_ID

winlog.linked.logon.id

Link_Name

file.target_path

Load_Options

winlog.boot_options

LogName

event.category

Logon_Account

source.user.name

Logon_GUID

source.user.id

Logon_ID

winlog.logon.id

Logon_Process

winlog.logon.process

Logon_Process_Name

winlog.logon.process

Logon_Type

winlog.logon.type

Mandatory_Label

winlog.integrity.label

Name

process.executable

Network_Account_Domain

destination.user.domain

Network_Account_Name

destination.user.name

Network_Address

source.ip

New_Process_ID

process.pid

New_Process_Name

process.name

New_Security_Descriptor

winlog.sddl.new

New_State

winlog.transaction.state

New_Time

winlog.new_time

Notification_Package_Name

winlog.notification.package

Number_of_Elements

winlog.user.per_policy

Object_Handle

winlog.handle.id

Object_Name

winlog.object.name

Object_Server

winlog.subsystem.name

Object_Type

winlog.object.type

OpCode

winlog.opcode

Original_Security_Descriptor

winlog.sddl.old

PackageName__NTLM_only

winlog.ntlm.sub_package

Peer_Name

winlog.rpc.peer_name

Policy_ID

winlog.policy.id

Port

source.port

Previous_Time

winlog.old_time

Privileges

winlog.requested.privileges

Privileges_Used_for_Access_Check

winlog.access_check.privileges

Process_Command_Line

process.full

Process_ID

process.pid

Process_Name

process.name

Protocol_Sequence

winlog.rpc.sequence

message

event.original

RecordNumber

event.sequence

Relative_Target_Name

file.target_path

Resource_Attributes

winlog.file.attributes

Resource_Manager

winlog.resource_mgr.id

Restricted_Admin_Mode

winlog.admin_mode.flag

Restricted_SID_Count

winlog.restricted_sid.count

RM_Transaction_ID

winlog.resource_mgr.transac_id

Security_Error

wilong.rpc.error

Security_ID

winlog.object.identifier

Security_Package_Name

winlog.auth.loaded

Server

winlog.subsystem.name

Service_Account

winlog.service.account

Service_File_Name

service.file.path

Service_Name

service.name

Service_Start_Type

service.start_ype

Service_Type

service.type

Session_ID

winlog.session.id

Share_Name

winlog.share.name

Share_Path

winlog.share.path

Source_Address

source.ip

SourceName

event.provider

Source_Network_Address

source.ip

Source_Port

source.port

Source_Workstation

source.hostname

subject

event.description

System_Event_Logging

winlog.event_logging.flag

Target_Server_Name

destination.hostname

TaskCategory

winlog.task_category

Test_Signing

winlog.test_signing.flag

time

event.created

Token_Elevation_Type

winlog.token_elevation.type

Token_Elevation_Type_id

winlog.token_elevation.id

Transaction_ID

winlog.transaction.id

Transited_Services

winlog.transmitted_services

Type

log.level

Virtual_Account

winlog.virtual_account.flag

VSM_Launch_Type

winlog.vsm_launch.type

Workstation_Name

source.hostname

WinEventLog:System

Original Field Name

ECS Field Name

Adapter_Name

winlog.adapter.name

Adapter_specific_Domain_Suffix

winlog.adapter.domain

Change_Reason

winlog.change.reason

ComputerName

winlog.computer_name

date_zone

event.timezone

EventCode

event.code

EventType

event.category

Host_Name

host.hostname

Idle_state_type

winlog.idle_state.type

Keywords

winlog.keywords

LogName

event.category

Maximum_performance_percentage

winlog.performance.max

Minimum_performance_percentage

winlog.performance.min

Minimum_throttle_percentage

winlog.throttle.min

Module_Path

winlog.module.path

NominalFrequency__MHz

winlog.nominal.frequency

OpCode

winlog.opcode

Performance_state_type

winlog.perf_state.type

message

event.original

RecordNumber

event.sequence

Sent_update_to_server

winlog.dns.update

Service_Account

winlog.service.account

Service_File_Name

service.file.path

Service_Name

service.name

Service_Start_Type

service.start_ype

Service_Type

service.type

Sid

winlog.object.identifier

SidType

winlog.identifier.type

signature

event.description

Sleep_Reason

winlog.sleep.reason

Sleep_Time

winlog.sleep.time

SourceName

event.provider

TaskCategory

winlog.task_category

time

event.created

Type

log.level

User

user.name

Wake_Source

winlog.wake.source

Wake_Time

winlog.wake.time

WinRegistry

Original Field Name

ECS Field Name

data

winlog.registry.data

data_type

winlog.registry.type

event_status

event.description

eventtype

event.category

host

source.hostname

key_path

winlog.registry.key.path

pid

process.pid

process_image

process.name

message

event.original

registry_key_name

winlog.registry.key.name

registry_type

event.action

registry_value_name

winlog.registry.name

status

event.outcome

time

event.created

XmlWinEventLog:Microsoft Windows Sysmon Operational

Original Field Name

ECS Field Name

CommandLine

process.full

Computer

winlog.computer_name

CreationUtcTime

file.ctime

CurrentDirectory

process.working_directory

DestinationHostname

destination.hostname

DestinationIp

destination.ip

DestinationIsIpv6

destination.ipv6.flag

DestinationPort

destination.port

DestinationPortName

network.protocol

dvc_nt_host

host.hostname

EventChannel

event.provider

EventCode

event.code

EventDescription

event.description

file_name

file.name

Hashes

file.hash.table

Image

process.name

ImageLoaded

process.name

IMPHASH

file.hash.imp

Initiated

winlog.connection_init.flag

IntegrityLevel

winlog.integrity.level

Keywords

winlog.keywords

Level

event.severity

LogonGuid

source.user.id

LogonId

winlog.logon.id

MD5

file.hash.md5

Opcode

winlog.opcode

ParentCommandLine

process.full

ParentImage

process.pname

ParentProcessGuid

process.pguid

ParentProcessId

process.ppid

PreviousCreationUtcTime

file.pctime

process

process.name

ProcessGuid

process.guid

ProcessId

process.pid

Protocol

network.transport

message

event.original

RecordID

event.sequence

SecurityID

winlog.object.identifier

SHA1

file.hash.sha1

SHA256

file.hash.sha256

Signature

winlog.process.signature

Signed

winlog.process_signed.flag

SourceHostname

source.hostname

SourceIp

source.ip

SourceIsIpv6

source.ipv6.flag

SourcePort

source.port

SourcePortName

network.protocol

TargetFilename

file.path

Task

winlog.task

TerminalSessionId

winlog.terminal.session_id

time

event.created

TimeCreated

process.start

User

user.name

UtcTime

winlog.process.time_utc

Version

winlog.sysmon.schema_version

Last updated

Was this helpful?