Common fields

Contains common fields available in all event types.

The name of the module that generated the event.

type: keyword

example: logged-in

Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.

File attributes.

type: text

The path to the file.

type: keyword

The path to the file. This is a non-analyzed field that is useful for aggregations.

type: keyword

The target path for symlinks.

type: keyword

The file type (file, dir, or symlink).

type: keyword

The device.

type: keyword

The inode representing the file in the filesystem.

type: keyword

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

The file owner’s username.

type: keyword

The primary group ID (GID) of the file.

type: keyword

The primary group name of the file.

type: keyword

example: 416

The mode of the file in octal representation.

type: boolean

example: True

Set if the file has the setuid bit set. Omitted otherwise.

type: boolean

example: True

Set if the file has the setgid bit set. Omitted otherwise.

type: long

The file size in bytes (field is only added when type is file).

type: date

The last modified time of the file (time when content was modified).

type: date

The last change time of the file (time when metadata was changed).

type: text

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.

The SELinux identity of the file.

type: keyword

The owner of the object.

type: keyword

The object’s SELinux role.

type: keyword

The object’s SELinux domain or type.

type: keyword

example: s0

The object’s SELinux level.