BOTES Fields
This page contains list of original and ECS matched fields for each Data sourcetype.
Detailed Excel and CSV files can be downloaded here :
BOTES Field details (xlsx) : https://botes.s3-us-west-1.amazonaws.com/botes-summary/excel/BOTES-Fields-Details.xlsx
Field details per sourcetype (CSV)
Download Link
winevent-application
xmlwineventlog-sysmon
Fgt fields
fgt_event
Original Field Name
ECS Field Name
hostname
dhcp.client.hostname
ip
dhcp.source.ip
lease
dhcp.client.lease
mac
dhcp.source.mac
dhcp_msg
dhcp.message
total
dhcp.total.ip
used
dhcp.used.ip
state
event.action
vendor_action
event.action
eventtype
event.category
time
event.created
logdesc
event.description
logid
event.id
message
event.original
status
event.outcome
reason
event.reason
sn
event.sequence
date_zone
event.timezone
level
log.level
subtype
log.subtype
type
log.type
msg
message
bandwidth
network.bandwidth
devname
observer.hostname
devid
observer.id
host
observer.ip
profile
threat.profile.name
count
threat.quarantine.count
product
observer.type
vendor
observer.vendor
interface
source.interface
ui
source.user.interface
src_user
source.user.name
user
source.user.name
fgt_traffic
Original Field Name
ECS Field Name
craction
threat.reputation.id
crlevel
client.reputation.level
crscore
client.reputation.score
rcvdbyte
destination.bytes
dstintf
destination.interface
dstip
destination.ip
tranip
destination.nat.ip
tranport
destination.nat.port
rcvdpkt
destination.packets
dstport
destination.port
eventtype
event.category
time
event.created
logid
event.id
message
event.original
vendor_action
event.outcome
date_zone
event.timezone
mastersrcmac
host.master.mac
level
log.level
subtype
log.subtype
type
log.type
bytes
network.bytes
proto
network.iana_number
trandisp
network.nat.type
packets
network.packets
service
network.protocol
duration
network.session.duration
sessionid
network.session.id
transport
network.transport
countav
threat.antivirus.count
appcat
threat.application.category
appact
threat.application.control.action
countapp
threat.application.control.logs
appid
threat.application.id
applist
threat.application.list
app
threat.application.name
apprisk
threat.application.risk
devname
observer.hostname
devid
observer.id
host
observer.ip
countips
threat.ips.count
utmaction
threat.action.outcome
policyid
threat.policy.id
poluuid
threat.policy.uuid
product
observer.type
vendor
observer.vendor
countweb
threat.webfilter.count
sentbyte
source.bytes
devtype
source.device.type
srcname
source.hostname
srcintf
source.interface
srcip
source.ip
srcmac
source.mac
transip
source.nat.ip
vendor_transport
source.nat.port
osname
source.os.name
osversion
source.os.version
sentpkt
source.packets
srcport
source.port
user
user.name
fgt_utm
Original Field Name
ECS Field Name
crlevel
client.reputation.level
crscore
client.reputation.score
rcvdbyte
destination.bytes
dstintf
destination.interface
dstip
destination.ip
dstport
destination.port
eventtype
event.category
time
event.created
msg
event.description
logid
event.id
message
event.original
vendor_action
event.outcome
method
threat.risk.method
severity
log.level
date_zone
event.timezone
analyticssubmit
file.analysis
analyticscksum
file.hash.sha256
file_hash
file.hash.sha256
filename
file.name
file_path
file.path
reqtype
http.request.type
level
log.level
subtype
log.subtype
type
log.type
bytes
network.bytes
direction
network.direction
proto
network.iana_number
service
network.protocol
sessionid
network.session.id
appcat
threat.application.category
appid
threat.application.id
applist
threat.application.list
app
threat.application.name
apprisk
threat.application.risk
attackid
threat.attack.id
devname
observer.hostname
devid
observer.id
ids_type
observer.ids.type
incidentserialno
threat.incident.id
host
observer.ip
policyid
threat.policy.id
profile
threat.profile.name
catdesc
threat.proxy.category.desc
cat
threat.proxy.category.id
quarskip
threat.quarantine.explain
attack
threat.signature.name
ref
threat.signature.reference
product
observer.type
vendor
observer.vendor
virusid
threat.virus.id
virus
threat.virus.name
dtype
threat.virus.type
sentbyte
source.bytes
srcintf
source.interface
srcip
source.ip
srcport
source.port
hostname
url.domain
url
url.full
vendor_url
url.path
user
user.name
http_user_agent
user_agent.original
IIS fields
IIS
Original Field Name
ECS Field Name
c_ip
client.ip
cs_method
http.request.method
cs_Referer
http.request.referrer
cs_uri_query
url.query
cs_uri_stem
url.path
cs_User_Agent
user_agent.original
cs_username
client.user.name
date_zone
event.timezone
host
source.hostname
message
event.original
sc_status
http.response.status_code
sc_substatus
http.response.substatus_code
sc_win32_status
winlog.win32.status
s_ip
event.source.ip
s_port
server.port
time
event.created
time_taken
http.session.duration
Nessus fields
Nessus:Scan
Original Field Name
ECS Field Name
control
nessus.control.flag
count
nessus.scan.count
edit_allowed
nessus.edit.flag
folder_id
nessus.folder.id
hasaudittrail
nessus.audittrail.flag
haskb
nessus.kb.flag
host
observer.hostname
hostcount
nessus.host.count
host_end
nessus.scan.end
host_id
nessus.host.id
host-ip
destination.ip
hostname
destination.hostname
host_start
nessus.scan.start
mac-address
destination.mac
name
nessus.scan.name
netbios-name
destination.hostname
object_id
nessus.object.id
operating-system
destination.os.full
pci-can-upload
nessus.pciupload.flag
plugin_family
nessus.plugin.family
plugin_id
nessus.plugin.id
plugin_name
nessus.plugin.name
policy
nessus.policy.name
ports{}.port
destination.port
ports{}.protocol
network.protocol
ports{}.transport
network.transport
message
event.original
scanner_name
nessus.scanner.name
scan_start
nessus.scan.start
scan_type
nessus.scan.type
severity
event.severity
severity_id
log.level
severity_index
nessus.severity.index
sid
nessus.security.id
status
nessus.scan.status
targets
nessus.targets
time
event.created
user_permissions
nessus.user.permissions
uuid
nessus.uuid
vuln_index
nessus.vuln.index
Stream fields
Stream:DHCP
Original Field Name
ECS Field Name
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
chaddr
dhcp.client.mac
ciaddr
dhcp.client.ip
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
dns_server
dhcp.offer.dns
endtime
network.session.end
eventtype
event.category
giaddr
dhcp.relay.ip
host
dhcp.server.hostname
ip_lease_time
dhcp.client.lease
opcode
dhcp.message
protocol
network.protocol
message
event.original
router
dhcp.offer.gateway
siaddr
dhcp.bootstrap.server.ip
src_ip
source.ip
src_mac
source.mac
src_port
source.port
subnetmask
dhcp.offer.subnetmask
time
event.created
transaction_id
dhcp.transaction.id
transport
network.transport
yiaddr
dhcp.offer.ip
Stream:DNS
Original Field Name
ECS Field Name
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
duration
network.session.duration
endtime
network.session.end
eventtype
event.category
host
host.hostname
host_addr{}
dns.answers.name
hostname{}
dns.answers.data
message_type
dns.type
name{}
dns.question.name
protocol
network.protocol
query
dns.answers.data
message
event.original
record_type
dns.answers.type
reply_code
dns.response_code
response_time
dns.response.time
reverse_addr{}
dns.answers.reverse
src_ip
source.ip
src_mac
source.mac
src_port
source.port
time
event.created
time_taken
network.session.duration
transaction_id
dns.id
transport
network.transport
ttl{}
dns.answers.ttl
Stream:HTTP
Original Field Name
ECS Field Name
accept
http.request.accept
accept{}
http.request.accept
accept_language
http.request.accept_language
ack_packets_in
client.packets.ack
ack_packets_out
server.packets.ack
age
http.response.age
allow
http.header.allow
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
cached
http.cached
cached{}
http.cached
canceled
http.canceled.responses
c_ip
client.ip
connection_type
http.header.connection
connection_type{}
http.header.connection
content_disposition
http.response.content_dispostion
content_disposition{}
http.response.content_dispostion
content_encoding
http.header.content_encoding
content_location
http.header.content_location
cookie
http.request.cookie
cookie{}
http.request.cookie
cs_cache_control
http.request.cache_control
cs_content_length
http.request.content_length
cs_content_length{}
http.request.content_length
cs_content_type
http.request.content_type
cs_content_type{}
http.request.content_type
cs_date
http.request.data
cs_date{}
http.request.data
cs_pragma
http.request.pragma
cs_version
http.version
cs_version{}
http.version
data_packets_in
client.packets.data
data_packets_out
server.packets.data
date_zone
event.timezone
dest_content
http.response.payload
dest_headers
http.response.headers
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
endtime
network.session.end
etag
http.response.etag
eventtype
event.category
expires
http.response.expires
http_comment
http.response.status
http_content_length
http.response.content_length
http_content_type
http.response.content_type
http_method
http.request.method
http_method{}
http.request.method
http_referrer
http.request.referrer
http_referrer{}
http.request.referrer
http_user_agent
user_agent.original
http_user_agent{}
user_agent.original
location
http.header.content_location
missing_packets_in
client.packets.missing
missing_packets_out
server.packets.missing
network_interface
destination.interface
packets
network.packets
packets_in
destination.packets
packets_out
source.packets
part_filename
file.name
part_filename{}
file.name
protocol
network.protocol
message
event.original
refused
http.request.refused
request
http.request.original
request{}
http.request.original
sc_cache_control
http.response.cache_control
sc_date
http.response.data
sc_pragma
http.response.pragma
server
http.response.server
set_cookie
http.response.cookie
site
url.domain
site{}
url.domain
src_content
http.request.payload
src_headers
http.request.headers
src_ip
source.ip
src_mac
source.mac
src_port
source.port
status
http.response.status_code
status{}
http.response.status_code
time
event.created
time_taken
network.session.duration
transfer_encoding
http.response.transfer_encoding
transport
network.transport
uri
url.original
uri_parm
url.fragment
uri_path
url.path
uri_query
url.query
url
url.full
user
user.name
Stream:ICMP
Original Field Name
ECS Field Name
bytes
network.bytes
bytes_in
destination.bytes
bytes_out
source.bytes
checksum
icmp.checksum
code
icmp.code.id
code_string
icmp.code.name
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
endtime
network.session.end
eventtype
event.category
id
icmp.transaction.id
message
event.original
sequence
icmp.sequence.id
src_ip
source.ip
src_mac
source.mac
time
event.created
time_taken
network.session.duration
type
icmp.type.id
type_string
icmp.type.name
Stream:IP
Original Field Name
ECS Field Name
bytes
network.bytes
bytes_in
destination.bytes
bytes_out
source.bytes
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
endtime
network.session.end
eventtype
event.category
fragment_count
network.ip.fragment
packets
network.packets
packets_in
destination.packets
packets_out
source.packets
protocol
network.transport
protoid
network.iana_number
message
event.original
src_ip
source.ip
src_mac
source.mac
time
event.created
tos
network.ip.tos
version
network.ip.version
Stream:LDAP
Original Field Name
ECS Field Name
assertion_description{}
ldap.assertion.description
assertion_value{}
ldap.assertion.value
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
contains_sasl
ldap.sasl.enable
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
elements
ldap.original.elements
endtime
network.session.end
eventtype
event.category
message_id
ldap.transaction.id
message_type
ldap.message.type
message
event.original
src_ip
source.ip
src_mac
source.mac
src_port
source.port
time
event.created
transport
network.transport
Stream:MAPI
Original Field Name
ECS Field Name
auth_type
mapi.auth.type
auth_type{}
mapi.auth.type
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
domain
user.domain
endtime
network.session.end
eventtype
event.category
login
user.name
login_server
server.user.name
message
event.original
src_ip
source.ip
src_mac
source.mac
src_port
source.port
time
event.created
time_taken
network.session.duration
transport
network.transport
Stream:SIP
Original Field Name
ECS Field Name
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
callee_user_phone
sip.callee.user_phone
caller_user_phone
sip.caller.user_phone
contact
sip.contact.header
cseq
sip.sequence.id
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
endtime
network.session.end
eventtype
event.category
from
sip.from
method
sip.method
message
event.original
request_call_id
sip.call.id
src_ip
source.ip
src_mac
source.mac
src_port
source.port
time
event.created
time_taken
network.session.duration
to
sip.to
transport
network.transport
uri
sip.uri
via
sip.via
Stream:SMB
Original Field Name
ECS Field Name
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
command
smb.header.command
command{}
smb.header.command
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
dialect{}
smb.version
domain
user.domain
endtime
network.session.end
eventtype
event.category
filename
file.name
filename{}
file.name
filesize
file.size
filesize{}
file.size
login
user.name
native_os
client.os.full
native_os{}
client.os.full
nt_status
smb.header.error_status
nt_status{}
smb.header.error_status
path
file.path
message
event.original
search_attributes
smb.search.attributes
search_pattern
smb.search.pattern
service
smb.service.type
service{}
smb.service.type
src_ip
source.ip
src_mac
source.mac
src_port
source.port
time
event.created
time_taken
network.session.duration
transport
network.transport
user_id
user.id
user_id{}
user.id
Stream:SNMP
Original Field Name
ECS Field Name
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
community{}
snmp.community.name
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
endtime
network.session.end
eventtype
event.category
method{}
snmp.request.type
packets
network.packets
packets_in
destination.packets
packets_out
source.packets
message
event.original
request_id
snmp.transaction.id
src_ip
source.ip
src_mac
source.mac
src_port
source.port
time
event.created
time_taken
network.session.duration
transport
network.transport
varbind_list{}.oid
snmp.oid.list
version{}
snmp.version
Stream:TCP
Original Field Name
ECS Field Name
ack_packets_in
client.packets.ack
ack_packets_out
server.packets.ack
bytes
network.bytes
bytes_in
server.bytes
bytes_out
client.bytes
canceled
http.canceled.responses
data_packets_in
client.packets.data
data_packets_out
server.packets.data
date_zone
event.timezone
dest_ip
destination.ip
dest_mac
destination.mac
dest_port
destination.port
endtime
network.session.end
eventtype
event.category
missing_packets_in
client.packets.missing
missing_packets_out
server.packets.missing
packets
network.packets
packets_in
destination.packets
packets_out
source.packets
message
event.original
refused
http.request.refused
src_ip
source.ip
src_mac
source.mac
src_port
source.port
ssl_cert_md5
tls.fingerprint.md5
ssl_cert_self_signed
tls.certificate.self_signed
ssl_cert_sha1
tls.fingerprint.sha1
ssl_cert_sha256
tls.fingerprint.sha256
ssl_cipher_id
tls.cipher.id
ssl_cipher_name
tls.cipher.name
ssl_client_cipher_list{}
tls.client.cipher.list
ssl_client_cipher_names{}
tls.client.cipher.name
ssl_client_compression_methods{}
tls.client.compression_method
ssl_client_hello_version
tls.client.hello.version
ssl_compression_method
tls.negociated.compression_method
ssl_issuer
tls.issuer.dn
ssl_issuer_common_name
tls.issuer.cn
ssl_issuer_country
tls.issuer.country
ssl_issuer_email
tls.issuer.email
ssl_issuer_locality
tls.issuer.locality
ssl_issuer_organization
tls.issuer.organization
ssl_issuer_state
tls.issuer.state
ssl_issuer_unit
tls.issuer.unit
ssl_publickey_algorithm
tls.publickey.algorithm
ssl_publickey_bit_len
tls.publickey.length
ssl_serial
tls.serial.number
ssl_signature_algorithm
tls.signature.algorithm
ssl_subject
tls.subject.dn
ssl_subject_common_name
tls.subject.cn
ssl_subject_country
tls.subject.country
ssl_subject_locality
tls.subject.locality
ssl_subject_organization
tls.subject.organization
ssl_subject_state
tls.subject.state
ssl_subject_unit
tls.subject.unit
ssl_validity_end
tls.validity.end
ssl_validity_start
tls.validity.start
ssl_version
tls.version
tcp_status
tcp.state
time
event.created
time_taken
network.session.duration
transport
network.transport
Suricata fields
Suricata
Original Field Name
ECS Field Name
flow.bytes_toclient
destination.bytes
in_iface
destination.interface
dest_ip
destination.ip
flow.pkts_toclient
destination.packets
dest_port
destination.port
answer
dns.answers
dns.rcode
dns.response_code
dns.type
dns.type
dns.rdata
dns.answers.data
dns.rrname
dns.answers.name
dns.rrtype
dns.answers.type
dns.id
dns.id
dns.ttl
dns.answers.ttl
alert.category
event.category
event_type
event.category
eventtype
event.category
time
event.created
message
event.original
alert.action
event.outcome
alert.severity
event.severity
date_zone
event.timezone
fileinfo.filename
file.path
fileinfo.size
file.size
http.http_content_type
http.response.content_type
http.redirect
http.redirect.url
http.http_method
http.request.method
http.http_refer
http.request.referrer
http.length
http.response.content_length
http.status
http.response.status_code
http.protocol
http.version
http.xff
http.xff
icmp_code
icmp.code.id
icmp_type
icmp.type.id
app_proto
network.protocol
flow.age
network.session.duration
flow.end
network.session.end
flow_id
network.session.id
flow.reason
network.session.reason
flow.start
network.session.start
flow.state
network.session.state
proto
network.transport
alert.signature_id
threat.attack.id
fileinfo.state
threat.file.state
fileinfo.stored
threat.file.stored
host
observer.hostname
ids_type
observer.ids.type
alert.gid
threat.signature.gid
alert.signature
threat.signature.name
alert.rev
threat.signature.revision
product
observer.type
vendor
observer.vendor
flow.bytes_toserver
source.bytes
flow.pkts_toserver
source.bytes
src_ip
source.ip
src_port
source.port
ssh.client.software_version
ssh.client.software
ssh.client.proto_version
ssh.client.version
ssh.server.software_version
ssh.server.software
ssh.server.proto_version
ssh.server.version
stats.capture.kernel_drops
suricata.eve.stats.capture.kernel_drops
stats.capture.kernel_packets
suricata.eve.stats.capture.kernel_packets
stats.decoder.avg_pkt_size
suricata.eve.stats.decoder.avg_pkt_size
stats.decoder.bytes
suricata.eve.stats.decoder.bytes
stats.decoder.erspan
suricata.eve.stats.decoder.erspan
stats.decoder.ethernet
suricata.eve.stats.decoder.ethernet
stats.decoder.gre
suricata.eve.stats.decoder.gre
stats.decoder.icmpv4
suricata.eve.stats.decoder.icmpv4
stats.decoder.icmpv6
suricata.eve.stats.decoder.icmpv6
stats.decoder.invalid
suricata.eve.stats.decoder.invalid
stats.decoder.ipraw.invalid_ip_version
suricata.eve.stats.decoder.ipraw.invalid_ip_version
stats.decoder.ipv4
suricata.eve.stats.decoder.ipv4
stats.decoder.ipv4_in_ipv6
suricata.eve.stats.decoder.ipv4_in_ipv6
stats.decoder.ipv6
suricata.eve.stats.decoder.ipv6
stats.decoder.ipv6_in_ipv6
suricata.eve.stats.decoder.ipv6_in_ipv6
stats.decoder.ltnull.pkt_too_small
suricata.eve.stats.decoder.ltnull.pkt_too_small
stats.decoder.ltnull.unsupported_type
suricata.eve.stats.decoder.ltnull.unsupported_type
stats.decoder.max_pkt_size
suricata.eve.stats.decoder.max_pkt_size
stats.decoder.mpls
suricata.eve.stats.decoder.mpls
stats.decoder.null
suricata.eve.stats.decoder.null
stats.decoder.pkts
suricata.eve.stats.decoder.pkts
stats.decoder.ppp
suricata.eve.stats.decoder.ppp
stats.decoder.pppoe
suricata.eve.stats.decoder.pppoe
stats.decoder.raw
suricata.eve.stats.decoder.raw
stats.decoder.sctp
suricata.eve.stats.decoder.sctp
stats.decoder.sll
suricata.eve.stats.decoder.sll
stats.decoder.tcp
suricata.eve.stats.decoder.tcp
stats.decoder.teredo
suricata.eve.stats.decoder.teredo
stats.decoder.udp
suricata.eve.stats.decoder.udp
stats.decoder.vlan
suricata.eve.stats.decoder.vlan
stats.decoder.vlan_qinq
suricata.eve.stats.decoder.vlan_qinq
stats.defrag.ipv4.fragments
suricata.eve.stats.defrag.ipv4.fragments
stats.defrag.ipv4.reassembled
suricata.eve.stats.defrag.ipv4.reassembled
stats.defrag.ipv4.timeouts
suricata.eve.stats.defrag.ipv4.timeouts
stats.defrag.ipv6.fragments
suricata.eve.stats.defrag.ipv6.fragments
stats.defrag.ipv6.reassembled
suricata.eve.stats.defrag.ipv6.reassembled
stats.defrag.ipv6.timeouts
suricata.eve.stats.defrag.ipv6.timeouts
stats.defrag.max_frag_hits
suricata.eve.stats.defrag.max_frag_hits
stats.detect.alert
suricata.eve.stats.detect.alert
stats.dns.memcap_global
suricata.eve.stats.dns.memcap_global
stats.dns.memcap_state
suricata.eve.stats.dns.memcap_state
stats.dns.memuse
suricata.eve.stats.dns.memuse
stats.flow.emerg_mode_entered
suricata.eve.stats.flow.emerg_mode_entered
stats.flow.emerg_mode_over
suricata.eve.stats.flow.emerg_mode_over
stats.flow.memcap
suricata.eve.stats.flow.memcap
stats.flow.memuse
suricata.eve.stats.flow.memuse
stats.flow.spare
suricata.eve.stats.flow.spare
stats.flow.tcp_reuse
suricata.eve.stats.flow.tcp_reuse
stats.flow_mgr.closed_pruned
suricata.eve.stats.flow_mgr.closed_pruned
stats.flow_mgr.est_pruned
suricata.eve.stats.flow_mgr.est_pruned
stats.flow_mgr.new_pruned
suricata.eve.stats.flow_mgr.new_pruned
stats.http.memcap
suricata.eve.stats.http.memcap
stats.http.memuse
suricata.eve.stats.http.memuse
stats.stream.3whs_ack_in_wrong_dir
suricata.eve.stats.stream.3whs_ack_in_wrong_dir
stats.stream.3whs_async_wrong_seq
suricata.eve.stats.stream.3whs_async_wrong_seq
stats.stream.3whs_right_seq_wrong_ack_evasion
suricata.eve.stats.stream.3whs_right_seq_wrong_ack_evasion
stats.tcp.invalid_checksum
suricata.eve.stats.tcp.invalid_checksum
stats.tcp.memuse
suricata.eve.stats.tcp.memuse
stats.tcp.no_flow
suricata.eve.stats.tcp.no_flow
stats.tcp.pseudo
suricata.eve.stats.tcp.pseudo
stats.tcp.pseudo_failed
suricata.eve.stats.tcp.pseudo_failed
stats.tcp.reassembly_gap
suricata.eve.stats.tcp.reassembly_gap
stats.tcp.reassembly_memuse
suricata.eve.stats.tcp.reassembly_memuse
stats.tcp.rst
suricata.eve.stats.tcp.rst
stats.tcp.segment_memcap_drop
suricata.eve.stats.tcp.segment_memcap_drop
stats.tcp.sessions
suricata.eve.stats.tcp.sessions
stats.tcp.ssn_memcap_drop
suricata.eve.stats.tcp.ssn_memcap_drop
stats.tcp.stream_depth_reached
suricata.eve.stats.tcp.stream_depth_reached
stats.tcp.syn
suricata.eve.stats.tcp.syn
stats.tcp.synack
suricata.eve.stats.tcp.synack
stats.uptime
suricata.eve.stats.uptime
tcp.ack
tcp.ack
tcp.tcp_flags_ts
tcp.client.flag.hex
tcp_flag_to_server
tcp.client.flag.name
tcp.cwr
tcp.cwr
tcp.ecn
tcp.ecn
tcp.fin
tcp.fin
tcp.tcp_flags
tcp.flag.hex
tcp_flag
tcp.flag.name
tcp.psh
tcp.psh
tcp.rst
tcp.rst
tcp.tcp_flags_tc
tcp.server.flag.hex
tcp_flag_to_client
tcp.server.flag.name
tcp.state
tcp.state
tcp.syn
tcp.syn
tls.fingerprint
tls.fingerprint.sha1
tls.issuerdn
tls.issuer.dn
ssl_issuer_email
tls.issuer.email
ssl_issuer_locality
tls.issuer.locality
ssl_issuer_organization
tls.issuer.organization
ssl_serial
tls.serial.number
tls.sni
tls.sni
tls.subject
tls.subject.dn
ssl_subject_email
tls.subject.email
ssl_subject_locality
tls.subject.locality
ssl_subject_organization
tls.subject.organization
tls.version
tls.version
http.hostname
url.domain
http.url
url.path
http.http_user_agent
user_agent.original
WinEvent fields
WinEventLog:Application
Original Field Name
ECS Field Name
Cab_Id
winlog.cab_id
ComputerName
winlog.computer_name
date_zone
event.timezone
dvc_nt_host
host.hostname
EventCode
event.code
Event_Name
winlog.name
EventType
event.category
Hashed_bucket
winlog.hashed.bucket
HRESULT
winlog.hresult
Internal_Timing_Sequence
winlog.esent.sequence
Keywords
winlog.keywords
LogName
event.category
OpCode
winlog.opcode
P1
winlog.problem.signature
P2
winlog.problem.signature
P3
winlog.problem.signature
P4
winlog.problem.signature
P5
winlog.problem.signature
P6
winlog.problem.signature
P7
winlog.problem.signature
P8
winlog.problem.signature
P9
winlog.problem.signature
P10
winlog.problem.signature
message
event.original
Rechecking_for_solution
winlog.checksolution.flag
RecordNumber
event.sequence
Report_Id
winlog.report.id
Report_Status
winlog.wer.status
Response
winlog.report.response
Revived_Cache
winlog.esent.revived_cache
Saved_Cache
winlog.esent.saved_cache
Sid
winlog.object.identifier
SidType
winlog.identifier.type
SourceName
event.provider
TaskCategory
event.module
time
event.created
Type
log.level
User
user.name
WinEventLog:Security
Original Field Name
ECS Field Name
Accesses
winlog.access.permissions
Access_Mask
winlog.access.mask
Access_Reasons
winlog.access.reasons
Account_Domain
user.domain
Account_Name
user.name
Additional_Information
winlog.additional.info
Advanced_Options
winlog.boot_legacy.flag
Authentication_Package
winlog.auth.logon
Authentication_Package_Name
winlog.auth.loaded
ComputerName
winlog.computer_name
Configuration_Access_Policy
winlog.boot.policy
Creator_Process_ID
process.ppid
Creator_Process_Name
process.pname
date_zone
event.timezone
Desired_Access
winlog.access.desired
Disable_Integrity_Checks
winlog.integrity_checks.flag
dvc_nt_host
host.hostname
Elevated_Token
winlog.elevated_token.flag
Error_Code
error.code
EventCode
event.code
EventType
event.category
Exit_Status
process.exit.status
File_Name
file.path
Flight_Signing
winlog.flight_signing.flag
Group_Domain
user.group.domain
Group_Name
user.group.name
Handle_ID
winlog.handle_id
HyperVisor_Debugging
winlog.hypervisor_debug.flag
HyperVisor_Launch_Type
winlog.hypervisor_launch_type
HyperVisor_Load_Options
winlog.hypervisor_load_options
Impersonation_Level
winlog.impersonation
Kernel_Debugging
winlog.kernel_debug.flag
Key_Length
winlog.ntlm.key_length
Keywords
winlog.keywords
Linked_Logon_ID
winlog.linked.logon.id
Link_Name
file.target_path
Load_Options
winlog.boot_options
LogName
event.category
Logon_Account
source.user.name
Logon_GUID
source.user.id
Logon_ID
winlog.logon.id
Logon_Process
winlog.logon.process
Logon_Process_Name
winlog.logon.process
Logon_Type
winlog.logon.type
Mandatory_Label
winlog.integrity.label
Name
process.executable
Network_Account_Domain
destination.user.domain
Network_Account_Name
destination.user.name
Network_Address
source.ip
New_Process_ID
process.pid
New_Process_Name
process.name
New_Security_Descriptor
winlog.sddl.new
New_State
winlog.transaction.state
New_Time
winlog.new_time
Notification_Package_Name
winlog.notification.package
Number_of_Elements
winlog.user.per_policy
Object_Handle
winlog.handle.id
Object_Name
winlog.object.name
Object_Server
winlog.subsystem.name
Object_Type
winlog.object.type
OpCode
winlog.opcode
Original_Security_Descriptor
winlog.sddl.old
PackageName__NTLM_only
winlog.ntlm.sub_package
Peer_Name
winlog.rpc.peer_name
Policy_ID
winlog.policy.id
Port
source.port
Previous_Time
winlog.old_time
Privileges
winlog.requested.privileges
Privileges_Used_for_Access_Check
winlog.access_check.privileges
Process_Command_Line
process.full
Process_ID
process.pid
Process_Name
process.name
Protocol_Sequence
winlog.rpc.sequence
message
event.original
RecordNumber
event.sequence
Relative_Target_Name
file.target_path
Resource_Attributes
winlog.file.attributes
Resource_Manager
winlog.resource_mgr.id
Restricted_Admin_Mode
winlog.admin_mode.flag
Restricted_SID_Count
winlog.restricted_sid.count
RM_Transaction_ID
winlog.resource_mgr.transac_id
Security_Error
wilong.rpc.error
Security_ID
winlog.object.identifier
Security_Package_Name
winlog.auth.loaded
Server
winlog.subsystem.name
Service_Account
winlog.service.account
Service_File_Name
service.file.path
Service_Name
service.name
Service_Start_Type
service.start_ype
Service_Type
service.type
Session_ID
winlog.session.id
Share_Name
winlog.share.name
Share_Path
winlog.share.path
Source_Address
source.ip
SourceName
event.provider
Source_Network_Address
source.ip
Source_Port
source.port
Source_Workstation
source.hostname
subject
event.description
System_Event_Logging
winlog.event_logging.flag
Target_Server_Name
destination.hostname
TaskCategory
winlog.task_category
Test_Signing
winlog.test_signing.flag
time
event.created
Token_Elevation_Type
winlog.token_elevation.type
Token_Elevation_Type_id
winlog.token_elevation.id
Transaction_ID
winlog.transaction.id
Transited_Services
winlog.transmitted_services
Type
log.level
Virtual_Account
winlog.virtual_account.flag
VSM_Launch_Type
winlog.vsm_launch.type
Workstation_Name
source.hostname
WinEventLog:System
Original Field Name
ECS Field Name
Adapter_Name
winlog.adapter.name
Adapter_specific_Domain_Suffix
winlog.adapter.domain
Change_Reason
winlog.change.reason
ComputerName
winlog.computer_name
date_zone
event.timezone
EventCode
event.code
EventType
event.category
Host_Name
host.hostname
Idle_state_type
winlog.idle_state.type
Keywords
winlog.keywords
LogName
event.category
Maximum_performance_percentage
winlog.performance.max
Minimum_performance_percentage
winlog.performance.min
Minimum_throttle_percentage
winlog.throttle.min
Module_Path
winlog.module.path
NominalFrequency__MHz
winlog.nominal.frequency
OpCode
winlog.opcode
Performance_state_type
winlog.perf_state.type
message
event.original
RecordNumber
event.sequence
Sent_update_to_server
winlog.dns.update
Service_Account
winlog.service.account
Service_File_Name
service.file.path
Service_Name
service.name
Service_Start_Type
service.start_ype
Service_Type
service.type
Sid
winlog.object.identifier
SidType
winlog.identifier.type
signature
event.description
Sleep_Reason
winlog.sleep.reason
Sleep_Time
winlog.sleep.time
SourceName
event.provider
TaskCategory
winlog.task_category
time
event.created
Type
log.level
User
user.name
Wake_Source
winlog.wake.source
Wake_Time
winlog.wake.time
WinRegistry
Original Field Name
ECS Field Name
data
winlog.registry.data
data_type
winlog.registry.type
event_status
event.description
eventtype
event.category
host
source.hostname
key_path
winlog.registry.key.path
pid
process.pid
process_image
process.name
message
event.original
registry_key_name
winlog.registry.key.name
registry_type
event.action
registry_value_name
winlog.registry.name
status
event.outcome
time
event.created
XmlWinEventLog:Microsoft Windows Sysmon Operational
Original Field Name
ECS Field Name
CommandLine
process.full
Computer
winlog.computer_name
CreationUtcTime
file.ctime
CurrentDirectory
process.working_directory
DestinationHostname
destination.hostname
DestinationIp
destination.ip
DestinationIsIpv6
destination.ipv6.flag
DestinationPort
destination.port
DestinationPortName
network.protocol
dvc_nt_host
host.hostname
EventChannel
event.provider
EventCode
event.code
EventDescription
event.description
file_name
file.name
Hashes
file.hash.table
Image
process.name
ImageLoaded
process.name
IMPHASH
file.hash.imp
Initiated
winlog.connection_init.flag
IntegrityLevel
winlog.integrity.level
Keywords
winlog.keywords
Level
event.severity
LogonGuid
source.user.id
LogonId
winlog.logon.id
MD5
file.hash.md5
Opcode
winlog.opcode
ParentCommandLine
process.full
ParentImage
process.pname
ParentProcessGuid
process.pguid
ParentProcessId
process.ppid
PreviousCreationUtcTime
file.pctime
process
process.name
ProcessGuid
process.guid
ProcessId
process.pid
Protocol
network.transport
message
event.original
RecordID
event.sequence
SecurityID
winlog.object.identifier
SHA1
file.hash.sha1
SHA256
file.hash.sha256
Signature
winlog.process.signature
Signed
winlog.process_signed.flag
SourceHostname
source.hostname
SourceIp
source.ip
SourceIsIpv6
source.ipv6.flag
SourcePort
source.port
SourcePortName
network.protocol
TargetFilename
file.path
Task
winlog.task
TerminalSessionId
winlog.terminal.session_id
time
event.created
TimeCreated
process.start
User
user.name
UtcTime
winlog.process.time_utc
Version
winlog.sysmon.schema_version
Last updated
Was this helpful?