Elastic Defend Integration

Version	8.17.0 (View all)
Compatible Kibana version(s)	8.17.0 or higher
Supported Serverless project types What’s this?	Security
Subscription level What’s this?	Basic
Level of support What’s this?	Elastic

Elastic Defend provides organizations with prevention, detection, and response capabilities with deep visibility for EPP, EDR, SIEM, and Security Analytics use cases across Windows, macOS, and Linux operating systems running on both traditional endpoints and public cloud environments. Use Elastic Defend to:

Prevent complex attacks - Prevent malware (Windows, macOS, Linux) and ransomware (Windows) from executing, and stop advanced threats with malicious behavior (Windows, macOS, Linux), memory threat (Windows, macOS, Linux), and credential hardening (Windows) protections. All powered by Elastic Labs and our global community.
Alert in high fidelity - Bolster team efficacy by detecting threats centrally and minimizing false positives via extensive corroboration.
Detect threats in high fidelity - Elastic Defend facilitates deep visibility by instrumenting the process, file, and network data in your environments with minimal data collection overhead.
Triage and respond rapidly - Quickly analyze detailed data from across your hosts. Examine host-based activity with interactive visualizations. Invoke remote response actions across distributed endpoints. Extend investigation capabilities even further with the Osquery integration, fully integrated into Elastic Security workflows.
Secure your cloud workloads - Stop threats targeting cloud workloads and cloud-native applications. Gain real-time visibility and control with a lightweight user-space agent, powered by eBPF. Automate the identification of cloud threats with detection rules and machine learning (ML). Achieve rapid time-to-value with MITRE ATT&CK-aligned detections honed by Elastic Security Labs.
View terminal sessions - Give your security team a unique and powerful investigative tool for digital forensics and incident response (DFIR), reducing the mean time to respond (MTTR). Session view provides a time-ordered series of process executions in your Linux workloads in the form of a terminal shell, as well as the ability to replay the terminal session.

Installation guide For in-depth, step-by-step instructions to help you get started with Elastic Defend, read through our installation guide. For macOS endpoints, we recommend reviewing our documentation on enabling full disk access.

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
Effective_process.entity_id	Unique identifier for the effective process.	keyword
Effective_process.executable	Executable name for the effective process.	keyword
Effective_process.name	Process name for the effective process.	keyword
Effective_process.pid	Process ID.	long
agent.id	Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.	keyword
agent.type	Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.	keyword
agent.version	Version of the agent.	keyword
data_stream.dataset	Data stream dataset name.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
destination.geo.city_name	City name.	keyword
destination.geo.continent_code	Two-letter code representing continent’s name.	keyword
destination.geo.continent_name	Name of the continent.	keyword
destination.geo.country_iso_code	Country ISO code.	keyword
destination.geo.country_name	Country name.	keyword
destination.geo.location	Longitude and latitude.	geo_point
destination.geo.name	User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.	keyword
destination.geo.postal_code	Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.	keyword
destination.geo.region_iso_code	Region ISO code.	keyword
destination.geo.region_name	Region name.	keyword
destination.geo.timezone	The time zone of the location, such as IANA time zone name.	keyword
ecs.version	ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.	keyword
event.action	The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.	keyword
event.category	This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.	keyword
event.code	Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.	keyword
event.created	`event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used.	date
event.dataset	Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.	keyword
event.hash	Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.	keyword
event.id	Unique ID to describe the event.	keyword
event.ingested	Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.	date
event.kind	This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.	keyword
event.module	Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.	keyword
event.outcome	This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.	keyword
event.provider	Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).	keyword
event.sequence	Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.	long
event.severity	The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.	long
event.type	This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.	keyword
group.Ext	Object for all custom defined fields to live in.	object
group.Ext.real	Group info prior to any setgid operations.	object
group.Ext.real.id	Unique identifier for the group on the system/platform.	keyword
group.Ext.real.name	Name of the group.	keyword
group.domain	Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.	keyword
group.id	Unique identifier for the group on the system/platform.	keyword
group.name	Name of the group.	keyword
host.architecture	Operating system architecture.	keyword
host.domain	Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.	keyword
host.hostname	Hostname of the host. It normally contains what the `hostname` command returns on the host machine.	keyword
host.id	Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.	keyword
host.ip	Host ip addresses.	ip
host.mac	Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.	keyword
host.name	Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.	keyword
host.os.Ext	Object for all custom defined fields to live in.	object
host.os.Ext.variant	A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field.	keyword
host.os.family	OS family (such as redhat, debian, freebsd, windows).	keyword
host.os.full	Operating system name, including the version or code name.	keyword
host.os.kernel	Operating system kernel version as a raw string.	keyword
host.os.name	Operating system name, without the version.	keyword
host.os.platform	Operating system platform (such centos, ubuntu, windows).	keyword
host.os.type	Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you’re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.	keyword
host.os.version	Operating system version as a raw string.	keyword
host.type	Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.	keyword
host.uptime	Seconds the host has been up.	long
message	For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.	match_only_text
process.Ext	Object for all custom defined fields to live in.	object
process.Ext.ancestry	An array of entity_ids indicating the ancestors for this event	keyword
process.Ext.code_signature	Nested version of ECS code_signature fieldset.	nested
process.Ext.code_signature.exists	Boolean to capture if a signature is present.	boolean
process.Ext.code_signature.status	Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.	keyword
process.Ext.code_signature.subject_name	Subject name of the code signer	keyword
process.Ext.code_signature.trusted	Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.	boolean
process.Ext.code_signature.valid	Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.	boolean
process.code_signature.exists	Boolean to capture if a signature is present.	boolean
process.code_signature.signing_id	The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.	keyword
process.code_signature.status	Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.	keyword
process.code_signature.subject_name	Subject name of the code signer	keyword
process.code_signature.team_id	The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.	keyword
process.code_signature.trusted	Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.	boolean
process.code_signature.valid	Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.	boolean
process.entity_id	Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.	keyword
process.executable	Absolute path to the process executable.	keyword
process.name	Process name. Sometimes called program name or similar.	keyword
process.pid	Process id.	long
process.thread.Ext	Object for all custom defined fields to live in.	object
process.thread.Ext.call_stack	Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame.	object
process.thread.Ext.call_stack.allocation_private_bytes	The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing.	unsigned_long
process.thread.Ext.call_stack.callsite_leading_bytes	Hex opcode bytes preceding the callsite	keyword
process.thread.Ext.call_stack.callsite_trailing_bytes	Hex opcode bytes after the callsite (where control will return to)	keyword
process.thread.Ext.call_stack.protection	Protection of the page containing this instruction. This is ‘R-X’ by default if omitted.	keyword
process.thread.Ext.call_stack.symbol_info	The nearest symbol for `instruction_pointer`.	keyword
process.thread.Ext.call_stack_summary	Concatentation of the non-repeated modules in the call stack.	keyword
process.thread.Ext.hardware_breakpoint_set	Whether a hardware breakpoint was set for the thread. This field is omitted if false.	boolean
process.thread.id	Thread ID.	long
registry.data.bytes	Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.	keyword
registry.data.strings	Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).	wildcard
registry.data.type	Standard registry type for encoding contents	keyword
registry.hive	Abbreviated name for the hive.	keyword
registry.key	Hive-relative path of keys.	keyword
registry.path	Full path, including hive, key and value	keyword
registry.value	Name of the value written.	keyword
source.geo.city_name	City name.	keyword
source.geo.continent_code	Two-letter code representing continent’s name.	keyword
source.geo.continent_name	Name of the continent.	keyword
source.geo.country_iso_code	Country ISO code.	keyword
source.geo.country_name	Country name.	keyword
source.geo.location	Longitude and latitude.	geo_point
source.geo.name	User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.	keyword
source.geo.postal_code	Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.	keyword
source.geo.region_iso_code	Region ISO code.	keyword
source.geo.region_name	Region name.	keyword
source.geo.timezone	The time zone of the location, such as IANA time zone name.	keyword
user.Ext	Object for all custom defined fields to live in.	object
user.Ext.real	User info prior to any setuid operations.	object
user.Ext.real.id	One or multiple unique identifiers of the user.	keyword
user.Ext.real.name	Short name or login of the user.	keyword
user.domain	Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.	keyword
user.email	User email address.	keyword
user.full_name	User’s full name, if available.	keyword
user.group.Ext	Object for all custom defined fields to live in.	object
user.group.Ext.real	Group info prior to any setgid operations.	object
user.group.Ext.real.id	Unique identifier for the group on the system/platform.	keyword
user.group.Ext.real.name	Name of the group.	keyword
user.group.domain	Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.	keyword
user.group.id	Unique identifier for the group on the system/platform.	keyword
user.group.name	Name of the group.	keyword
user.hash	Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.	keyword
user.id	Unique identifier of the user.	keyword
user.name	Short name or login of the user.	keyword

Version	Details	Kibana version(s)
8.17.0	Enhancement (View pull request) prep 8.17	8.17.0 or higher
8.16.0	Enhancement (View pull request) WMI event fields and add missing custom documentation fields Enhancement (View pull request) Add winlog.event_data.PrivilegeList to security events Enhancement (View pull request) API - DeviceIoControl events and new final_user_module fields Enhancement (View pull request) WMI (WMI-Activity ETW Provider) API Event (production) Enhancement (View pull request) Add Target.process.Ext.authentication_id and process.Ext.authentication_id to Security events Enhancement (View pull request) enable endpoint policy.applied.artifacts mapping Enhancement (View pull request) index call_stack_summary in API events	8.16.0 or higher
8.15.2	Enhancement (View pull request) Secondary Malware Signature Fields	8.15.0 or higher
8.15.1	Enhancement (View pull request) Add process.Ext.protection to Windows library events	8.15.0 or higher
8.15.0	Enhancement (View pull request) Add `file.origin_referrer_url` and `file.origin_url` to FileEvent Enhancement (View pull request) add heartbeat `billable` field Enhancement (View pull request) add event.dataset to api datastream Enhancement (View pull request) add truncated_stack to api.behaviors documentation Bug fix (View pull request) fix formatting/order from ecs build tool	8.15.0 or higher
8.14.0	Enhancement (View pull request) HWBP ⇒ Production Enhancement (View pull request) API event field updates Enhancement (View pull request) Added effective user field.	8.14.0 or higher
8.13.0	Enhancement (View pull request) Fix kibana version condition and additional buildkite settings Enhancement (View pull request) add 8.12 custom documentation Enhancement (View pull request) Original Extension field for file rename events Enhancement (View pull request) Replace more dotted keys Enhancement (View pull request) artifacts manifest update age, snapshot date Enhancement (View pull request) object_type: keyword Enhancement (View pull request) reformat metadata yaml, removed dotted-keys	8.13.0 or higher
8.12.0	Enhancement (View pull request) additional process callstack fields Enhancement (View pull request) artifacts manifest update age, snapshot date Enhancement (View pull request) Add memory_region to api events Enhancement (View pull request) Keylogging (Win32k ETW) API Event Enhancement (View pull request) Keylogging (Win32k ETW) API Event (rename some fields) Enhancement (View pull request) mark integration as requiring root-level agent	8.12.0 or higher
8.11.0	Enhancement (View pull request) Update package spec and capabilities for serverless filtering Enhancement (View pull request) ETW Threat-Intelligence API events Enhancement (View pull request) Add linux capabilities to process events Enhancement (View pull request) add more missing custom_documentation fields Enhancement (View pull request) Effective Process for library load events Enhancement (View pull request) add more custom documentation fields on windows Enhancement (View pull request) [macOS] Add Effective_process fields for file events Enhancement (View pull request) move where custom documentation is rendered	8.11.0 or higher
8.10.2	Bug fix (View pull request) revert transform schema v2	8.10.0 or higher
8.10.1	Bug fix (View pull request) revert unattended transforms	8.10.0 or higher
8.10.0	Enhancement (View pull request) set transforms to be unattended Enhancement (View pull request) Added Process Rollback fields Enhancement (View pull request) Transform schema v2 Enhancement (View pull request) Add `code_signature` mappings for API events Enhancement (View pull request) Keylogging (Win32k ETW) API Event metrics Enhancement (View pull request) add heartbeat ds Enhancement (View pull request) add endpoint custom documentation Enhancement (View pull request) [Security Solution] Update description copy	8.10.0 or higher
8.9.1	Enhancement (View pull request) Update description copy	8.9.0 or higher
8.9.0	Bug fix (View pull request) Fix mapping error by replacing string with keyword Enhancement (View pull request) ETW Threat-Intelligence API Event metrics	8.9.0 or higher
8.8.0	Enhancement (View pull request) change action.key.values to object in alerts Enhancement (View pull request) Added registry rollback fields associated with recovered values Enhancement (View pull request) File system type Enhancement (View pull request) Add thread callstacks to process, file, registry, and image/library load events Enhancement (View pull request) Added Registry Rollback Fields to Package Enhancement (View pull request) Add fields connected to rules and alerts Enhancement (View pull request) Update Endpoint package categories Enhancement (View pull request) [Memory Protection] Add fields for trampoline detection.	8.8.0 or higher
8.7.1	Enhancement (View pull request) Update package overview Enhancement (View pull request) Make process.Ext.api.name indexable	8.7.0 or higher
8.7.0	Enhancement (View pull request) Update ECS to 8.7-dev Enhancement (View pull request) Adding persistence event Enhancement (View pull request) 11957 hardware breakpoint set Enhancement (View pull request) Update unsupported u64 type to unsigned_long Enhancement (View pull request) Add new data stream for API event types Enhancement (View pull request) Report DLL size Enhancement (View pull request) Mitigation policies	8.7.0 or higher
8.6.1	Enhancement (View pull request) Rename process.Ext.session to session_info and restore legacy keyword field Enhancement (View pull request) Update ECS to 8.5.2	8.6.0 or higher
8.6.0	Enhancement (View pull request) Add entity_id to file and network Enhancement (View pull request) Add .NET metadata hashes to malware alerts Enhancement (View pull request) Add call_stack_contains_unbacked Enhancement (View pull request) Add session data to Windows process creation events	8.6.0 or higher
8.5.0	Enhancement (View pull request) rename integration to Elastic Defend Enhancement (View pull request) add process.tty and process.io fields Enhancement (View pull request) update united index to include new fleet agents fields Enhancement (View pull request) add attested fields to process.entry_leader	8.5.0 or higher
8.4.1	Enhancement (View pull request) adds volume_device_type Enhancement (View pull request) adds container.image.hash.all, orchestrator.cluster.id, orchestrator.resource.ip, orchestrator.resource.parent.type	8.4.0 or higher
8.4.0	Enhancement (View pull request) Add Effective_process and effective_parent Enhancement (View pull request) Add container and cloud fields in alerts and process Enhancement (View pull request) Add Ext.device fields, correct some memory_address field names, add system_impact metrics Enhancement (View pull request) Add file creation times Enhancement (View pull request) Add process.end Enhancement (View pull request) Add attack_surface_reduction fields	8.4.0 or higher
1.3.0-dev.0	Enhancement (TBD[View pull request]) TBD	—
1.2.2	Bug fix (View pull request) malware_signature.primary.matches should be keyword	7.16.0 or higher
1.2.1	Bug fix (View pull request) remake security_attributes generation Bug fix (View pull request) Increase alerts nested_fields limit	7.16.0 or higher
1.2.0	Enhancement (View pull request) Set Minimum Kibana version to 7.16 Bug fix (View pull request) Remove unused exceptionable Enhancement (View pull request) Added Endpoint.metrics.documents_volume to metrics stream Enhancement (View pull request) Update "metadata_current" transform description Enhancement (View pull request) Add metadata-united transform Enhancement (View pull request) Add new data streams for endpoint actions Enhancement (View pull request) Add endpoint fields for credential protection and memory scan Enhancement (View pull request) Add process security_attributes	7.16.0 or higher
1.1.1	Bug fix (View pull request) convert Events to be an object field	7.15.0 or higher
1.1.0	Enhancement (View pull request) Changes for multi process ransomware Enhancement (View pull request) Add malware_signature for Memory protection alerts Enhancement (View pull request) Add memory_protection fields to policy response Bug fix (View pull request) Don’t index memory region strings Enhancement (View pull request) Add Endpoint.capabilities to metadata Enhancement (View pull request) Minimum supported Kibana for this version is 7.15 Enhancement (View pull request) Add more behavior protection fields (ip, code_signature, dns, registry) Enhancement (View pull request) Add Rule detection event schema Enhancement (View pull request) Add all code_signature ECS fields Enhancement (View pull request) update to ECS 1.11.0	7.15.0 or higher
1.0.0	Enhancement (View pull request) GA Release	7.14.0 or higher

Elastic Defend Integration

Elastic Defend Integration

Compatibility

Logs

alerts

Exported fields

file

Exported fields

library

Exported fields

network

Exported fields

process

Exported fields

registry

Exported fields

security

Exported fields

Metrics

metadata

Exported fields

metrics

Exported fields

policy response

Exported fields

Changelog