This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Santa Module
-
santa.action -
Action
type: keyword
example: EXEC
-
santa.decision -
Decision that santad took.
type: keyword
example: ALLOW
-
santa.reason -
Reason for the decsision.
type: keyword
example: CERT
-
santa.mode -
Operating mode of Santa.
type: keyword
example: M
Fields for DISKAPPEAR actions.
-
santa.disk.volume -
The volume name.
-
santa.disk.bus -
The disk bus protocol.
-
santa.disk.serial -
The disk serial number.
-
santa.disk.bsdname -
The disk BSD name.
example: disk1s3
-
santa.disk.model -
The disk model.
example: APPLE SSD SM0512L
-
santa.disk.fs -
The disk volume kind (filesystem type).
example: apfs
-
santa.disk.mount -
The disk volume path.
-
santa.certificate.common_name -
Common name from code signing certificate.
type: keyword
-
santa.certificate.sha256 -
SHA256 hash of code signing certificate.
type: keyword