BOTES Fields

This page contains list of original and ECS matched fields for each Data sourcetype.

Detailed Excel and CSV files can be downloaded here :

BOTES Field details (xlsx) : https://botes.s3-us-west-1.amazonaws.com/botes-summary/excel/BOTES-Fields-Details.xlsx

Field details per sourcetype (CSV)	Download Link
fgt_event	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/fgt_event.csv
fgt_traffic	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/fgt_traffic.csv
fgt_utm	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/fgt_utm.csv
iis	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/iis.csv
nessus-scan	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/nessus-scan.csv
stream-dhcp	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-dhcp.csv
stream-dns	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-dns.csv
stream-http	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-http.csv
stream-icmp	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-icmp.csv
stream-ip	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-ip.csv
stream-ldap	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-ldap.csv
stream-mapi	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-mapi.csv
stream-sip	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-sip.csv
stream-smb	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-smb.csv
stream-snmp	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-snmp.csv
stream-tcp	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/stream-tcp.csv
suricata	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/suricata.csv
winevent-application	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/wineventlog-application.csv
winevent-security	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/wineventlog-security.csv
winevent-system	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/wineventlog-system.csv
winregistry	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/winregistry.csv
xmlwineventlog-sysmon	https://botes.s3-us-west-1.amazonaws.com/botes-map/csv/xmlwineventlog.csv

Fgt fields

fgt_event

Original Field Name	ECS Field Name
hostname	dhcp.client.hostname
ip	dhcp.source.ip
lease	dhcp.client.lease
mac	dhcp.source.mac
dhcp_msg	dhcp.message
total	dhcp.total.ip
used	dhcp.used.ip
state	event.action
vendor_action	event.action
eventtype	event.category
time	event.created
logdesc	event.description
logid	event.id
message	event.original
status	event.outcome
reason	event.reason
sn	event.sequence
date_zone	event.timezone
level	log.level
subtype	log.subtype
type	log.type
msg	message
bandwidth	network.bandwidth
devname	observer.hostname
devid	observer.id
host	observer.ip
profile	threat.profile.name
count	threat.quarantine.count
product	observer.type
vendor	observer.vendor
interface	source.interface
ui	source.user.interface
src_user	source.user.name
user	source.user.name

fgt_traffic

Original Field Name	ECS Field Name
craction	threat.reputation.id
crlevel	client.reputation.level
crscore	client.reputation.score
rcvdbyte	destination.bytes
dstintf	destination.interface
dstip	destination.ip
tranip	destination.nat.ip
tranport	destination.nat.port
rcvdpkt	destination.packets
dstport	destination.port
eventtype	event.category
time	event.created
logid	event.id
message	event.original
vendor_action	event.outcome
date_zone	event.timezone
mastersrcmac	host.master.mac
level	log.level
subtype	log.subtype
type	log.type
bytes	network.bytes
proto	network.iana_number
trandisp	network.nat.type
packets	network.packets
service	network.protocol
duration	network.session.duration
sessionid	network.session.id
transport	network.transport
countav	threat.antivirus.count
appcat	threat.application.category
appact	threat.application.control.action
countapp	threat.application.control.logs
appid	threat.application.id
applist	threat.application.list
app	threat.application.name
apprisk	threat.application.risk
devname	observer.hostname
devid	observer.id
host	observer.ip
countips	threat.ips.count
utmaction	threat.action.outcome
policyid	threat.policy.id
poluuid	threat.policy.uuid
product	observer.type
vendor	observer.vendor
countweb	threat.webfilter.count
sentbyte	source.bytes
devtype	source.device.type
srcname	source.hostname
srcintf	source.interface
srcip	source.ip
srcmac	source.mac
transip	source.nat.ip
vendor_transport	source.nat.port
osname	source.os.name
osversion	source.os.version
sentpkt	source.packets
srcport	source.port
user	user.name

fgt_utm

Original Field Name	ECS Field Name
crlevel	client.reputation.level
crscore	client.reputation.score
rcvdbyte	destination.bytes
dstintf	destination.interface
dstip	destination.ip
dstport	destination.port
eventtype	event.category
time	event.created
msg	event.description
logid	event.id
message	event.original
vendor_action	event.outcome
method	threat.risk.method
severity	log.level
date_zone	event.timezone
analyticssubmit	file.analysis
analyticscksum	file.hash.sha256
file_hash	file.hash.sha256
filename	file.name
file_path	file.path
reqtype	http.request.type
level	log.level
subtype	log.subtype
type	log.type
bytes	network.bytes
direction	network.direction
proto	network.iana_number
service	network.protocol
sessionid	network.session.id
appcat	threat.application.category
appid	threat.application.id
applist	threat.application.list
app	threat.application.name
apprisk	threat.application.risk
attackid	threat.attack.id
devname	observer.hostname
devid	observer.id
ids_type	observer.ids.type
incidentserialno	threat.incident.id
host	observer.ip
policyid	threat.policy.id
profile	threat.profile.name
catdesc	threat.proxy.category.desc
cat	threat.proxy.category.id
quarskip	threat.quarantine.explain
attack	threat.signature.name
ref	threat.signature.reference
product	observer.type
vendor	observer.vendor
virusid	threat.virus.id
virus	threat.virus.name
dtype	threat.virus.type
sentbyte	source.bytes
srcintf	source.interface
srcip	source.ip
srcport	source.port
hostname	url.domain
url	url.full
vendor_url	url.path
user	user.name
http_user_agent	user_agent.original

IIS fields

IIS

Original Field Name	ECS Field Name
c_ip	client.ip
cs_method	http.request.method
cs_Referer	http.request.referrer
cs_uri_query	url.query
cs_uri_stem	url.path
cs_User_Agent	user_agent.original
cs_username	client.user.name
date_zone	event.timezone
host	source.hostname
message	event.original
sc_status	http.response.status_code
sc_substatus	http.response.substatus_code
sc_win32_status	winlog.win32.status
s_ip	event.source.ip
s_port	server.port
time	event.created
time_taken	http.session.duration

Nessus fields

Nessus:Scan

Original Field Name	ECS Field Name
control	nessus.control.flag
count	nessus.scan.count
edit_allowed	nessus.edit.flag
folder_id	nessus.folder.id
hasaudittrail	nessus.audittrail.flag
haskb	nessus.kb.flag
host	observer.hostname
hostcount	nessus.host.count
host_end	nessus.scan.end
host_id	nessus.host.id
host-ip	destination.ip
hostname	destination.hostname
host_start	nessus.scan.start
mac-address	destination.mac
name	nessus.scan.name
netbios-name	destination.hostname
object_id	nessus.object.id
operating-system	destination.os.full
pci-can-upload	nessus.pciupload.flag
plugin_family	nessus.plugin.family
plugin_id	nessus.plugin.id
plugin_name	nessus.plugin.name
policy	nessus.policy.name
ports{}.port	destination.port
ports{}.protocol	network.protocol
ports{}.transport	network.transport
message	event.original
scanner_name	nessus.scanner.name
scan_start	nessus.scan.start
scan_type	nessus.scan.type
severity	event.severity
severity_id	log.level
severity_index	nessus.severity.index
sid	nessus.security.id
status	nessus.scan.status
targets	nessus.targets
time	event.created
user_permissions	nessus.user.permissions
uuid	nessus.uuid
vuln_index	nessus.vuln.index

Stream fields

Stream:DHCP

Original Field Name	ECS Field Name
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
chaddr	dhcp.client.mac
ciaddr	dhcp.client.ip
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
dns_server	dhcp.offer.dns
endtime	network.session.end
eventtype	event.category
giaddr	dhcp.relay.ip
host	dhcp.server.hostname
ip_lease_time	dhcp.client.lease
opcode	dhcp.message
protocol	network.protocol
message	event.original
router	dhcp.offer.gateway
siaddr	dhcp.bootstrap.server.ip
src_ip	source.ip
src_mac	source.mac
src_port	source.port
subnetmask	dhcp.offer.subnetmask
time	event.created
transaction_id	dhcp.transaction.id
transport	network.transport
yiaddr	dhcp.offer.ip

Stream:DNS

Original Field Name	ECS Field Name
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
duration	network.session.duration
endtime	network.session.end
eventtype	event.category
host	host.hostname
host_addr{}	dns.answers.name
hostname{}	dns.answers.data
message_type	dns.type
name{}	dns.question.name
protocol	network.protocol
query	dns.answers.data
message	event.original
record_type	dns.answers.type
reply_code	dns.response_code
response_time	dns.response.time
reverse_addr{}	dns.answers.reverse
src_ip	source.ip
src_mac	source.mac
src_port	source.port
time	event.created
time_taken	network.session.duration
transaction_id	dns.id
transport	network.transport
ttl{}	dns.answers.ttl

Stream:HTTP

Original Field Name	ECS Field Name
accept	http.request.accept
accept{}	http.request.accept
accept_language	http.request.accept_language
ack_packets_in	client.packets.ack
ack_packets_out	server.packets.ack
age	http.response.age
allow	http.header.allow
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
cached	http.cached
cached{}	http.cached
canceled	http.canceled.responses
c_ip	client.ip
connection_type	http.header.connection
connection_type{}	http.header.connection
content_disposition	http.response.content_dispostion
content_disposition{}	http.response.content_dispostion
content_encoding	http.header.content_encoding
content_location	http.header.content_location
cookie	http.request.cookie
cookie{}	http.request.cookie
cs_cache_control	http.request.cache_control
cs_content_length	http.request.content_length
cs_content_length{}	http.request.content_length
cs_content_type	http.request.content_type
cs_content_type{}	http.request.content_type
cs_date	http.request.data
cs_date{}	http.request.data
cs_pragma	http.request.pragma
cs_version	http.version
cs_version{}	http.version
data_packets_in	client.packets.data
data_packets_out	server.packets.data
date_zone	event.timezone
dest_content	http.response.payload
dest_headers	http.response.headers
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
endtime	network.session.end
etag	http.response.etag
eventtype	event.category
expires	http.response.expires
http_comment	http.response.status
http_content_length	http.response.content_length
http_content_type	http.response.content_type
http_method	http.request.method
http_method{}	http.request.method
http_referrer	http.request.referrer
http_referrer{}	http.request.referrer
http_user_agent	user_agent.original
http_user_agent{}	user_agent.original
location	http.header.content_location
missing_packets_in	client.packets.missing
missing_packets_out	server.packets.missing
network_interface	destination.interface
packets	network.packets
packets_in	destination.packets
packets_out	source.packets
part_filename	file.name
part_filename{}	file.name
protocol	network.protocol
message	event.original
refused	http.request.refused
request	http.request.original
request{}	http.request.original
sc_cache_control	http.response.cache_control
sc_date	http.response.data
sc_pragma	http.response.pragma
server	http.response.server
set_cookie	http.response.cookie
site	url.domain
site{}	url.domain
src_content	http.request.payload
src_headers	http.request.headers
src_ip	source.ip
src_mac	source.mac
src_port	source.port
status	http.response.status_code
status{}	http.response.status_code
time	event.created
time_taken	network.session.duration
transfer_encoding	http.response.transfer_encoding
transport	network.transport
uri	url.original
uri_parm	url.fragment
uri_path	url.path
uri_query	url.query
url	url.full
user	user.name

Stream:ICMP

Original Field Name	ECS Field Name
bytes	network.bytes
bytes_in	destination.bytes
bytes_out	source.bytes
checksum	icmp.checksum
code	icmp.code.id
code_string	icmp.code.name
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
endtime	network.session.end
eventtype	event.category
id	icmp.transaction.id
message	event.original
sequence	icmp.sequence.id
src_ip	source.ip
src_mac	source.mac
time	event.created
time_taken	network.session.duration
type	icmp.type.id
type_string	icmp.type.name

Stream:IP

Original Field Name	ECS Field Name
bytes	network.bytes
bytes_in	destination.bytes
bytes_out	source.bytes
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
endtime	network.session.end
eventtype	event.category
fragment_count	network.ip.fragment
packets	network.packets
packets_in	destination.packets
packets_out	source.packets
protocol	network.transport
protoid	network.iana_number
message	event.original
src_ip	source.ip
src_mac	source.mac
time	event.created
tos	network.ip.tos
version	network.ip.version

Stream:LDAP

Original Field Name	ECS Field Name
assertion_description{}	ldap.assertion.description
assertion_value{}	ldap.assertion.value
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
contains_sasl	ldap.sasl.enable
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
elements	ldap.original.elements
endtime	network.session.end
eventtype	event.category
message_id	ldap.transaction.id
message_type	ldap.message.type
message	event.original
src_ip	source.ip
src_mac	source.mac
src_port	source.port
time	event.created
transport	network.transport

Stream:MAPI

Original Field Name	ECS Field Name
auth_type	mapi.auth.type
auth_type{}	mapi.auth.type
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
domain	user.domain
endtime	network.session.end
eventtype	event.category
login	user.name
login_server	server.user.name
message	event.original
src_ip	source.ip
src_mac	source.mac
src_port	source.port
time	event.created
time_taken	network.session.duration
transport	network.transport

Stream:SIP

Original Field Name	ECS Field Name
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
callee_user_phone	sip.callee.user_phone
caller_user_phone	sip.caller.user_phone
contact	sip.contact.header
cseq	sip.sequence.id
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
endtime	network.session.end
eventtype	event.category
from	sip.from
method	sip.method
message	event.original
request_call_id	sip.call.id
src_ip	source.ip
src_mac	source.mac
src_port	source.port
time	event.created
time_taken	network.session.duration
to	sip.to
transport	network.transport
uri	sip.uri
via	sip.via

Stream:SMB

Original Field Name	ECS Field Name
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
command	smb.header.command
command{}	smb.header.command
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
dialect{}	smb.version
domain	user.domain
endtime	network.session.end
eventtype	event.category
filename	file.name
filename{}	file.name
filesize	file.size
filesize{}	file.size
login	user.name
native_os	client.os.full
native_os{}	client.os.full
nt_status	smb.header.error_status
nt_status{}	smb.header.error_status
path	file.path
message	event.original
search_attributes	smb.search.attributes
search_pattern	smb.search.pattern
service	smb.service.type
service{}	smb.service.type
src_ip	source.ip
src_mac	source.mac
src_port	source.port
time	event.created
time_taken	network.session.duration
transport	network.transport
user_id	user.id
user_id{}	user.id

Stream:SNMP

Original Field Name	ECS Field Name
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
community{}	snmp.community.name
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
endtime	network.session.end
eventtype	event.category
method{}	snmp.request.type
packets	network.packets
packets_in	destination.packets
packets_out	source.packets
message	event.original
request_id	snmp.transaction.id
src_ip	source.ip
src_mac	source.mac
src_port	source.port
time	event.created
time_taken	network.session.duration
transport	network.transport
varbind_list{}.oid	snmp.oid.list
version{}	snmp.version

Stream:TCP

Original Field Name	ECS Field Name
ack_packets_in	client.packets.ack
ack_packets_out	server.packets.ack
bytes	network.bytes
bytes_in	server.bytes
bytes_out	client.bytes
canceled	http.canceled.responses
data_packets_in	client.packets.data
data_packets_out	server.packets.data
date_zone	event.timezone
dest_ip	destination.ip
dest_mac	destination.mac
dest_port	destination.port
endtime	network.session.end
eventtype	event.category
missing_packets_in	client.packets.missing
missing_packets_out	server.packets.missing
packets	network.packets
packets_in	destination.packets
packets_out	source.packets
message	event.original
refused	http.request.refused
src_ip	source.ip
src_mac	source.mac
src_port	source.port
ssl_cert_md5	tls.fingerprint.md5
ssl_cert_self_signed	tls.certificate.self_signed
ssl_cert_sha1	tls.fingerprint.sha1
ssl_cert_sha256	tls.fingerprint.sha256
ssl_cipher_id	tls.cipher.id
ssl_cipher_name	tls.cipher.name
ssl_client_cipher_list{}	tls.client.cipher.list
ssl_client_cipher_names{}	tls.client.cipher.name
ssl_client_compression_methods{}	tls.client.compression_method
ssl_client_hello_version	tls.client.hello.version
ssl_compression_method	tls.negociated.compression_method
ssl_issuer	tls.issuer.dn
ssl_issuer_common_name	tls.issuer.cn
ssl_issuer_country	tls.issuer.country
ssl_issuer_email	tls.issuer.email
ssl_issuer_locality	tls.issuer.locality
ssl_issuer_organization	tls.issuer.organization
ssl_issuer_state	tls.issuer.state
ssl_issuer_unit	tls.issuer.unit
ssl_publickey_algorithm	tls.publickey.algorithm
ssl_publickey_bit_len	tls.publickey.length
ssl_serial	tls.serial.number
ssl_signature_algorithm	tls.signature.algorithm
ssl_subject	tls.subject.dn
ssl_subject_common_name	tls.subject.cn
ssl_subject_country	tls.subject.country
ssl_subject_locality	tls.subject.locality
ssl_subject_organization	tls.subject.organization
ssl_subject_state	tls.subject.state
ssl_subject_unit	tls.subject.unit
ssl_validity_end	tls.validity.end
ssl_validity_start	tls.validity.start
ssl_version	tls.version
tcp_status	tcp.state
time	event.created
time_taken	network.session.duration
transport	network.transport

Suricata fields

Suricata

Original Field Name	ECS Field Name
flow.bytes_toclient	destination.bytes
in_iface	destination.interface
dest_ip	destination.ip
flow.pkts_toclient	destination.packets
dest_port	destination.port
answer	dns.answers
dns.rcode	dns.response_code
dns.type	dns.type
dns.rdata	dns.answers.data
dns.rrname	dns.answers.name
dns.rrtype	dns.answers.type
dns.id	dns.id
dns.ttl	dns.answers.ttl
alert.category	event.category
event_type	event.category
eventtype	event.category
time	event.created
message	event.original
alert.action	event.outcome
alert.severity	event.severity
date_zone	event.timezone
fileinfo.filename	file.path
fileinfo.size	file.size
http.http_content_type	http.response.content_type
http.redirect	http.redirect.url
http.http_method	http.request.method
http.http_refer	http.request.referrer
http.length	http.response.content_length
http.status	http.response.status_code
http.protocol	http.version
http.xff	http.xff
icmp_code	icmp.code.id
icmp_type	icmp.type.id
app_proto	network.protocol
flow.age	network.session.duration
flow.end	network.session.end
flow_id	network.session.id
flow.reason	network.session.reason
flow.start	network.session.start
flow.state	network.session.state
proto	network.transport
alert.signature_id	threat.attack.id
fileinfo.state	threat.file.state
fileinfo.stored	threat.file.stored
host	observer.hostname
ids_type	observer.ids.type
alert.gid	threat.signature.gid
alert.signature	threat.signature.name
alert.rev	threat.signature.revision
product	observer.type
vendor	observer.vendor
flow.bytes_toserver	source.bytes
flow.pkts_toserver	source.bytes
src_ip	source.ip
src_port	source.port
ssh.client.software_version	ssh.client.software
ssh.client.proto_version	ssh.client.version
ssh.server.software_version	ssh.server.software
ssh.server.proto_version	ssh.server.version
stats.capture.kernel_drops	suricata.eve.stats.capture.kernel_drops
stats.capture.kernel_packets	suricata.eve.stats.capture.kernel_packets
stats.decoder.avg_pkt_size	suricata.eve.stats.decoder.avg_pkt_size
stats.decoder.bytes	suricata.eve.stats.decoder.bytes
stats.decoder.erspan	suricata.eve.stats.decoder.erspan
stats.decoder.ethernet	suricata.eve.stats.decoder.ethernet
stats.decoder.gre	suricata.eve.stats.decoder.gre
stats.decoder.icmpv4	suricata.eve.stats.decoder.icmpv4
stats.decoder.icmpv6	suricata.eve.stats.decoder.icmpv6
stats.decoder.invalid	suricata.eve.stats.decoder.invalid
stats.decoder.ipraw.invalid_ip_version	suricata.eve.stats.decoder.ipraw.invalid_ip_version
stats.decoder.ipv4	suricata.eve.stats.decoder.ipv4
stats.decoder.ipv4_in_ipv6	suricata.eve.stats.decoder.ipv4_in_ipv6
stats.decoder.ipv6	suricata.eve.stats.decoder.ipv6
stats.decoder.ipv6_in_ipv6	suricata.eve.stats.decoder.ipv6_in_ipv6
stats.decoder.ltnull.pkt_too_small	suricata.eve.stats.decoder.ltnull.pkt_too_small
stats.decoder.ltnull.unsupported_type	suricata.eve.stats.decoder.ltnull.unsupported_type
stats.decoder.max_pkt_size	suricata.eve.stats.decoder.max_pkt_size
stats.decoder.mpls	suricata.eve.stats.decoder.mpls
stats.decoder.null	suricata.eve.stats.decoder.null
stats.decoder.pkts	suricata.eve.stats.decoder.pkts
stats.decoder.ppp	suricata.eve.stats.decoder.ppp
stats.decoder.pppoe	suricata.eve.stats.decoder.pppoe
stats.decoder.raw	suricata.eve.stats.decoder.raw
stats.decoder.sctp	suricata.eve.stats.decoder.sctp
stats.decoder.sll	suricata.eve.stats.decoder.sll
stats.decoder.tcp	suricata.eve.stats.decoder.tcp
stats.decoder.teredo	suricata.eve.stats.decoder.teredo
stats.decoder.udp	suricata.eve.stats.decoder.udp
stats.decoder.vlan	suricata.eve.stats.decoder.vlan
stats.decoder.vlan_qinq	suricata.eve.stats.decoder.vlan_qinq
stats.defrag.ipv4.fragments	suricata.eve.stats.defrag.ipv4.fragments
stats.defrag.ipv4.reassembled	suricata.eve.stats.defrag.ipv4.reassembled
stats.defrag.ipv4.timeouts	suricata.eve.stats.defrag.ipv4.timeouts
stats.defrag.ipv6.fragments	suricata.eve.stats.defrag.ipv6.fragments
stats.defrag.ipv6.reassembled	suricata.eve.stats.defrag.ipv6.reassembled
stats.defrag.ipv6.timeouts	suricata.eve.stats.defrag.ipv6.timeouts
stats.defrag.max_frag_hits	suricata.eve.stats.defrag.max_frag_hits
stats.detect.alert	suricata.eve.stats.detect.alert
stats.dns.memcap_global	suricata.eve.stats.dns.memcap_global
stats.dns.memcap_state	suricata.eve.stats.dns.memcap_state
stats.dns.memuse	suricata.eve.stats.dns.memuse
stats.flow.emerg_mode_entered	suricata.eve.stats.flow.emerg_mode_entered
stats.flow.emerg_mode_over	suricata.eve.stats.flow.emerg_mode_over
stats.flow.memcap	suricata.eve.stats.flow.memcap
stats.flow.memuse	suricata.eve.stats.flow.memuse
stats.flow.spare	suricata.eve.stats.flow.spare
stats.flow.tcp_reuse	suricata.eve.stats.flow.tcp_reuse
stats.flow_mgr.closed_pruned	suricata.eve.stats.flow_mgr.closed_pruned
stats.flow_mgr.est_pruned	suricata.eve.stats.flow_mgr.est_pruned
stats.flow_mgr.new_pruned	suricata.eve.stats.flow_mgr.new_pruned
stats.http.memcap	suricata.eve.stats.http.memcap
stats.http.memuse	suricata.eve.stats.http.memuse
stats.stream.3whs_ack_in_wrong_dir	suricata.eve.stats.stream.3whs_ack_in_wrong_dir
stats.stream.3whs_async_wrong_seq	suricata.eve.stats.stream.3whs_async_wrong_seq
stats.stream.3whs_right_seq_wrong_ack_evasion	suricata.eve.stats.stream.3whs_right_seq_wrong_ack_evasion
stats.tcp.invalid_checksum	suricata.eve.stats.tcp.invalid_checksum
stats.tcp.memuse	suricata.eve.stats.tcp.memuse
stats.tcp.no_flow	suricata.eve.stats.tcp.no_flow
stats.tcp.pseudo	suricata.eve.stats.tcp.pseudo
stats.tcp.pseudo_failed	suricata.eve.stats.tcp.pseudo_failed
stats.tcp.reassembly_gap	suricata.eve.stats.tcp.reassembly_gap
stats.tcp.reassembly_memuse	suricata.eve.stats.tcp.reassembly_memuse
stats.tcp.rst	suricata.eve.stats.tcp.rst
stats.tcp.segment_memcap_drop	suricata.eve.stats.tcp.segment_memcap_drop
stats.tcp.sessions	suricata.eve.stats.tcp.sessions
stats.tcp.ssn_memcap_drop	suricata.eve.stats.tcp.ssn_memcap_drop
stats.tcp.stream_depth_reached	suricata.eve.stats.tcp.stream_depth_reached
stats.tcp.syn	suricata.eve.stats.tcp.syn
stats.tcp.synack	suricata.eve.stats.tcp.synack
stats.uptime	suricata.eve.stats.uptime
tcp.ack	tcp.ack
tcp.tcp_flags_ts	tcp.client.flag.hex
tcp_flag_to_server	tcp.client.flag.name
tcp.cwr	tcp.cwr
tcp.ecn	tcp.ecn
tcp.fin	tcp.fin
tcp.tcp_flags	tcp.flag.hex
tcp_flag	tcp.flag.name
tcp.psh	tcp.psh
tcp.rst	tcp.rst
tcp.tcp_flags_tc	tcp.server.flag.hex
tcp_flag_to_client	tcp.server.flag.name
tcp.state	tcp.state
tcp.syn	tcp.syn
tls.fingerprint	tls.fingerprint.sha1
tls.issuerdn	tls.issuer.dn
ssl_issuer_email	tls.issuer.email
ssl_issuer_locality	tls.issuer.locality
ssl_issuer_organization	tls.issuer.organization
ssl_serial	tls.serial.number
tls.sni	tls.sni
tls.subject	tls.subject.dn
ssl_subject_email	tls.subject.email
ssl_subject_locality	tls.subject.locality
ssl_subject_organization	tls.subject.organization
tls.version	tls.version
http.hostname	url.domain
http.url	url.path
http.http_user_agent	user_agent.original

WinEvent fields

WinEventLog:Application

Original Field Name	ECS Field Name
Cab_Id	winlog.cab_id
ComputerName	winlog.computer_name
date_zone	event.timezone
dvc_nt_host	host.hostname
EventCode	event.code
Event_Name	winlog.name
EventType	event.category
Hashed_bucket	winlog.hashed.bucket
HRESULT	winlog.hresult
Internal_Timing_Sequence	winlog.esent.sequence
Keywords	winlog.keywords
LogName	event.category
OpCode	winlog.opcode
P1	winlog.problem.signature
P2	winlog.problem.signature
P3	winlog.problem.signature
P4	winlog.problem.signature
P5	winlog.problem.signature
P6	winlog.problem.signature
P7	winlog.problem.signature
P8	winlog.problem.signature
P9	winlog.problem.signature
P10	winlog.problem.signature
message	event.original
Rechecking_for_solution	winlog.checksolution.flag
RecordNumber	event.sequence
Report_Id	winlog.report.id
Report_Status	winlog.wer.status
Response	winlog.report.response
Revived_Cache	winlog.esent.revived_cache
Saved_Cache	winlog.esent.saved_cache
Sid	winlog.object.identifier
SidType	winlog.identifier.type
SourceName	event.provider
TaskCategory	event.module
time	event.created
Type	log.level
User	user.name

WinEventLog:Security

Original Field Name	ECS Field Name
Accesses	winlog.access.permissions
Access_Mask	winlog.access.mask
Access_Reasons	winlog.access.reasons
Account_Domain	user.domain
Account_Name	user.name
Additional_Information	winlog.additional.info
Advanced_Options	winlog.boot_legacy.flag
Authentication_Package	winlog.auth.logon
Authentication_Package_Name	winlog.auth.loaded
ComputerName	winlog.computer_name
Configuration_Access_Policy	winlog.boot.policy
Creator_Process_ID	process.ppid
Creator_Process_Name	process.pname
date_zone	event.timezone
Desired_Access	winlog.access.desired
Disable_Integrity_Checks	winlog.integrity_checks.flag
dvc_nt_host	host.hostname
Elevated_Token	winlog.elevated_token.flag
Error_Code	error.code
EventCode	event.code
EventType	event.category
Exit_Status	process.exit.status
File_Name	file.path
Flight_Signing	winlog.flight_signing.flag
Group_Domain	user.group.domain
Group_Name	user.group.name
Handle_ID	winlog.handle_id
HyperVisor_Debugging	winlog.hypervisor_debug.flag
HyperVisor_Launch_Type	winlog.hypervisor_launch_type
HyperVisor_Load_Options	winlog.hypervisor_load_options
Impersonation_Level	winlog.impersonation
Kernel_Debugging	winlog.kernel_debug.flag
Key_Length	winlog.ntlm.key_length
Keywords	winlog.keywords
Linked_Logon_ID	winlog.linked.logon.id
Link_Name	file.target_path
Load_Options	winlog.boot_options
LogName	event.category
Logon_Account	source.user.name
Logon_GUID	source.user.id
Logon_ID	winlog.logon.id
Logon_Process	winlog.logon.process
Logon_Process_Name	winlog.logon.process
Logon_Type	winlog.logon.type
Mandatory_Label	winlog.integrity.label
Name	process.executable
Network_Account_Domain	destination.user.domain
Network_Account_Name	destination.user.name
Network_Address	source.ip
New_Process_ID	process.pid
New_Process_Name	process.name
New_Security_Descriptor	winlog.sddl.new
New_State	winlog.transaction.state
New_Time	winlog.new_time
Notification_Package_Name	winlog.notification.package
Number_of_Elements	winlog.user.per_policy
Object_Handle	winlog.handle.id
Object_Name	winlog.object.name
Object_Server	winlog.subsystem.name
Object_Type	winlog.object.type
OpCode	winlog.opcode
Original_Security_Descriptor	winlog.sddl.old
PackageName__NTLM_only	winlog.ntlm.sub_package
Peer_Name	winlog.rpc.peer_name
Policy_ID	winlog.policy.id
Port	source.port
Previous_Time	winlog.old_time
Privileges	winlog.requested.privileges
Privileges_Used_for_Access_Check	winlog.access_check.privileges
Process_Command_Line	process.full
Process_ID	process.pid
Process_Name	process.name
Protocol_Sequence	winlog.rpc.sequence
message	event.original
RecordNumber	event.sequence
Relative_Target_Name	file.target_path
Resource_Attributes	winlog.file.attributes
Resource_Manager	winlog.resource_mgr.id
Restricted_Admin_Mode	winlog.admin_mode.flag
Restricted_SID_Count	winlog.restricted_sid.count
RM_Transaction_ID	winlog.resource_mgr.transac_id
Security_Error	wilong.rpc.error
Security_ID	winlog.object.identifier
Security_Package_Name	winlog.auth.loaded
Server	winlog.subsystem.name
Service_Account	winlog.service.account
Service_File_Name	service.file.path
Service_Name	service.name
Service_Start_Type	service.start_ype
Service_Type	service.type
Session_ID	winlog.session.id
Share_Name	winlog.share.name
Share_Path	winlog.share.path
Source_Address	source.ip
SourceName	event.provider
Source_Network_Address	source.ip
Source_Port	source.port
Source_Workstation	source.hostname
subject	event.description
System_Event_Logging	winlog.event_logging.flag
Target_Server_Name	destination.hostname
TaskCategory	winlog.task_category
Test_Signing	winlog.test_signing.flag
time	event.created
Token_Elevation_Type	winlog.token_elevation.type
Token_Elevation_Type_id	winlog.token_elevation.id
Transaction_ID	winlog.transaction.id
Transited_Services	winlog.transmitted_services
Type	log.level
Virtual_Account	winlog.virtual_account.flag
VSM_Launch_Type	winlog.vsm_launch.type
Workstation_Name	source.hostname

WinEventLog:System

Original Field Name	ECS Field Name
Adapter_Name	winlog.adapter.name
Adapter_specific_Domain_Suffix	winlog.adapter.domain
Change_Reason	winlog.change.reason
ComputerName	winlog.computer_name
date_zone	event.timezone
EventCode	event.code
EventType	event.category
Host_Name	host.hostname
Idle_state_type	winlog.idle_state.type
Keywords	winlog.keywords
LogName	event.category
Maximum_performance_percentage	winlog.performance.max
Minimum_performance_percentage	winlog.performance.min
Minimum_throttle_percentage	winlog.throttle.min
Module_Path	winlog.module.path
NominalFrequency__MHz	winlog.nominal.frequency
OpCode	winlog.opcode
Performance_state_type	winlog.perf_state.type
message	event.original
RecordNumber	event.sequence
Sent_update_to_server	winlog.dns.update
Service_Account	winlog.service.account
Service_File_Name	service.file.path
Service_Name	service.name
Service_Start_Type	service.start_ype
Service_Type	service.type
Sid	winlog.object.identifier
SidType	winlog.identifier.type
signature	event.description
Sleep_Reason	winlog.sleep.reason
Sleep_Time	winlog.sleep.time
SourceName	event.provider
TaskCategory	winlog.task_category
time	event.created
Type	log.level
User	user.name
Wake_Source	winlog.wake.source
Wake_Time	winlog.wake.time

WinRegistry

Original Field Name	ECS Field Name
data	winlog.registry.data
data_type	winlog.registry.type
event_status	event.description
eventtype	event.category
host	source.hostname
key_path	winlog.registry.key.path
pid	process.pid
process_image	process.name
message	event.original
registry_key_name	winlog.registry.key.name
registry_type	event.action
registry_value_name	winlog.registry.name
status	event.outcome
time	event.created

XmlWinEventLog:Microsoft Windows Sysmon Operational

Original Field Name	ECS Field Name
CommandLine	process.full
Computer	winlog.computer_name
CreationUtcTime	file.ctime
CurrentDirectory	process.working_directory
DestinationHostname	destination.hostname
DestinationIp	destination.ip
DestinationIsIpv6	destination.ipv6.flag
DestinationPort	destination.port
DestinationPortName	network.protocol
dvc_nt_host	host.hostname
EventChannel	event.provider
EventCode	event.code
EventDescription	event.description
file_name	file.name
Hashes	file.hash.table
Image	process.name
ImageLoaded	process.name
IMPHASH	file.hash.imp
Initiated	winlog.connection_init.flag
IntegrityLevel	winlog.integrity.level
Keywords	winlog.keywords
Level	event.severity
LogonGuid	source.user.id
LogonId	winlog.logon.id
MD5	file.hash.md5
Opcode	winlog.opcode
ParentCommandLine	process.full
ParentImage	process.pname
ParentProcessGuid	process.pguid
ParentProcessId	process.ppid
PreviousCreationUtcTime	file.pctime
process	process.name
ProcessGuid	process.guid
ProcessId	process.pid
Protocol	network.transport
message	event.original
RecordID	event.sequence
SecurityID	winlog.object.identifier
SHA1	file.hash.sha1
SHA256	file.hash.sha256
Signature	winlog.process.signature
Signed	winlog.process_signed.flag
SourceHostname	source.hostname
SourceIp	source.ip
SourceIsIpv6	source.ipv6.flag
SourcePort	source.port
SourcePortName	network.protocol
TargetFilename	file.path
Task	winlog.task
TerminalSessionId	winlog.terminal.session_id
time	event.created
TimeCreated	process.start
User	user.name
UtcTime	winlog.process.time_utc
Version	winlog.sysmon.schema_version